© 2022 SOC Prime Inc.
All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
SOC Prime Platform Updates
New Content Access Model
With this release, we've updated the content access model making it simpler and easier to understand.
The time window principle is gone. Now, users with a Community plan can access the new content as soon as it's released and keep access without a time limit.
Access to some rules is always free. Such rules are labeled Free Access and Promo.
Accessing other rules, labeled On Demand, requires using your Sigma rule balance.
Each user with a Community plan has an individual balance. Two Sigma rules are credited to it each week and expire if not used after 7 days. The balance can be used to unlock Sigma rules either on a rule's page or in Quick Hunt. Rules unlocked on a content item page also become accessible in Quick Hunt, and vice versa.
You can check your balance on a content item page, as well as in Quick Hunt and in the Account menu.
When unlocking an on-demand Sigma rule for the first time, the user sees a modal notifying that the selected rule will be unlocked using the Sigma balance.
The availability status of the rule changes to Unlocked.
Further on-demand rules are unlocked automatically. Right after unlock, a popup is displayed near the balance.
Under an On Demand plan, all users that belong to the same organization have a shared Sigma rule balance chosen at the time of upgrade. Each of the users can use the balance to unlock on-demand rules, and all unlocked rules become available to each user of the organization.
To compare access to content and features under different subscription plans, see our Upgrade page.
Upgrade Page
We've redesigned and improved our Upgrade page on the SOC Prime Platform and Pricing page at socprime.com to reflect the new changes in access to content and simplify comparing plans.
Now, when choosing an On Demand plan, you can easily select all applicable settings right on the page:
Type of use: end consumer or MDR/MSSP
Payment method: card or purchase order
Content amount: 50, 50+500, 100, 200, 500, or 1,000
You can also click the Get a Quote button, and we'll provide you with a quote by email.
Content Quality Improvements
To ensure a better user experience, we’ve improved the quality of translation into the following formats:
Google Chronicle Rule
We’ve removed the level field from Google Chronicle Rule meta information to avoid duplication with the severity field. Additionally, we've revised the possible values of the severity field. Now, the values of the level field in Sigma rule and the severity field in Chronicle rule are mapped as follows:
Sigma | Chronicle |
|
|
|
|
|
|
|
|
Splunk
We’ve fixed an issue where, in some cases, the source was misplaced in the translations for the Splunk format, which could lead to decreased performance. For example, (CommandLine="selection1") OR (CommandLine="selection2") AND source="WinEventLog:*" instead of source="WinEventLog:*" AND (CommandLine="selection1") OR (CommandLine="selection2")
Custom Field Mapping Enhancements
Indexes for Splunk
We’ve ensured that translations into the Splunk format include index value even when the Sigma body doesn’t have the index field. Now, if a user has custom indexes specified in the Custom Field Mapping, the index value will automatically be added at the beginning of the query when the corresponding Custom Field Mapping is applied. For example:
Without Custom Field Mapping applied:
source="WinEventLog:*" AND ((((ParentImage="*WINWORD.EXE" OR ParentImage="*EXCEL.EXE")With Custom Field Mapping applied:
(index="my_windows" OR index="sysmon_index") source="WinEventLog:*" AND ((((ParentImage="*WINWORD.EXE" OR ParentImage="*EXCEL.EXE")
UI Improvements
To avoid cross-platform confusion, we’ve made some changes to the interface of the Custom Field Mapping. Particularly, the Source field was renamed for Splunk, Microsoft Sentinel, and Elastic Stack:
Splunk and Elastic Stack: Source → Index
Microsoft Sentinel: Source → Table
For example:
Continuous Content Management
Settings in Dynamic Content Lists
To make Dynamic Content Lists even more flexible, we've extended their settings with an additional option to provide a Lucene query that defines what content should be included or excluded.
Additionally, we've reordered the List parameters and deprecated the SOC Prime Verified setting.
In all existing Dynamic Content Lists, the value of this setting was transferred to the Lucene Query field:
Yes →
is_verified:trueNo →
is_verified:false
Allowed IP Ranges
We've added support for not only individual IPs but entire IP ranges in the Allowed IP field under the API section of Continuous Content Management.
Smoking Guns Sorting
To ensure our users can easily find the most reliable content for the most severe threats, we’ve added a new Smoking Guns sorting option. It is available in both Advanced Search and Quick Hunt for users with Community, On Demand, and Enterprise subscriptions.
Snowflake in Onboarding
With this release, we’ve added an opportunity for manual log source mapping for Snowflake as a part of the Onboarding Wizard.
All of the Profiles created during the Onboarding have the (Onboarding) in their name in your Custom Field Mapping list.
OTP Verification
To ensure proper functioning of the OTP verification, we’ve made it possible to resend the one-time password only after 300 seconds from the last OTP received. This applies to login and email change.
Domain Parsing in Uncoder CTI
To improve the IOC queries generation, we’ve reworked the domain parsing for Uncoder CTI in Hunt by excluding the [ ] symbols.
Platform Guides
To deliver the most recent information, we’ve updated our Platform Guides by introducing the following changes:
We’ve removed the API description from the CCM API Integration Tool guide and replaced it with a link to the API section in the Platform Guides. This ensures the available API description is always up to date.
Introduced multiple updates, according to the latest release.
Improved the Custom Field Mapping, Search Profiles, and Filters sections of the Platform Guides.
Cyber Threat Search Engine Improvements
Simulations
To improve the user experience on the Simulations tab, we’ve set the direct link to the .md files instead of a folder in the Red Canary repository. For example: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/ → https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md.
UI Improvements
To enhance the user interface of the Cyber Threat Search Engine, we’ve introduced multiple changes.
Author’s Page
To visually show the difference in the number of content items uploaded by each author to cover MITRE ATT&CK® techniques, we’ve introduced a color gradient in the MITRE ATT&CK section of the Author’s Page. The brighter the color, the higher the number of contributed rules.
Additionally, we’ve added a View All Author Rules button to check all of the developer’s content directly from their Author Page.
Updates at my.socprime.com
With this release, we’ve introduced updates for several pages on my.socprime.com.
Center of Excellence for Microsoft Sentinel SIEM & SOAR
We’ve introduced a new Center of Excellence for Microsoft Sentinel page to highlight SOC Prime's partnership with Microsoft. You can check more details here or by going to my.socprime.com → Why SOC Prime → Center of Excellence for Microsoft Sentinel.
We’ve also added Center of Excellence for Microsoft Sentinel to the dropdown menu under Why SOC Prime.
For consistency, we’ve included a link to the Center of Excellence for Microsoft Sentinel in headers and footers across the following pages: my.socprime.com, socprime.com, uncoder.io, cti.uncoder.io, and attack.socprime.com.
Threat Bounty
We’ve updated the layout of the Threat Bounty page for developers by introducing the announcement of the upcoming Sigma Rules Bot for Threat Bounty. You can access the page here or by going to my.socprime.com → Contribute → Threat Bounty.
Detection as Code
After releasing the new edition of the Detection as Code Innovation Report, we’ve introduced a couple of changes:
Made minor UI improvements.
Updated headers and footers on all pages that linked to the report. The changes were applied to my.socprime.com, socprime.com, uncoder.io, cti.uncoder.io, attack.socprime.com, and sigma.socprime.com.
Uncoder.IO Updates
As part of the Snowflake integration into the SOC Prime Platform, we’ve introduced support of Snowflake to uncoder.io.
Key Bug Fixes & Improvements
With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:
Resolved an issue that appeared after the redesign in Continuous Content Management. A Job that had a Preset with a Filter deployed the associated content without applying that Preset.
Fixed the layout of the Create New Field Mapping Profile modal. When the modal was opened from Quick Hunt, its layout did not display correctly, and the profile won't save.
Resolved an issue where in some cases clicking the Submit button failed to submit a review.
Resolved two issues in Quick Hunt:
Fixed showing the last hunt date and time when hovering over the Hunted label of a content item.
Fixed showing records about previous hunts in Hunt History.
Fixed an issue with search on the Company tab in Environments.
Resolved an issue where only one environment for CrowdStrike or Microsoft Defender for Endpoint was displayed in the Environment dropdown in Quick Hunt while multiple environments were set up.
Fixed an issue with the rule count in the Content Lists. In some cases, the number wasn’t displayed correctly.
Resolved a bug where the CouldNotParseRelativeQueryStringString error was displayed when deploying Humio Alert with the Start Preset option in hours.
Improved the logic of URL IOCs encoding in Uncoder CTI to ensure the queries are correctly passed in links.
Updated content item ranking if it fully matches the search term. Now such item is shown at the top of search results, which meets user expectations.
Added missing reward badges for one of the Threat Bounty developers in the Cyber Threat Search Engine.
Removed the last item of the On Demand value proposition list on the Upgrade page for all options of the On Demand plan except #sigma2savelives since this item relates only to #sigma2savelives.