Skip to main content

SOC Prime Platform Product Release Notes 5.3.6

S
Written by Sergey Bayrachny

August 10, 2022

© 2022 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

Sumo Logic Integration for Hunting

With this release, we've added a hunt (web search) integration with Sumo Logic.

Now, you can run queries in your Sumo Logic environment:

  • Directly from Quick Hunt

  • Directly from Uncoder CTI

You can open the setup modal to configure integration with your Sumo Logic environment in one of the following ways:

  • Go to Integration > Environments and click Create Profile

  • Go to Quick Hunt, choose Sumo Logic platform, and select Create New Environment in the Environment dropdown

To set up integration with your environment, follow these steps:

  1. Give your profile a name and choose if you want to share it with your team.

  2. Select Sumo Logic as your platform if the modal was opened from the Environments page (if it was opened from Quick Hunt, the platform is pre-selected).

  3. Select the Hunt (Web Search) tab.

  4. Copy your Sumo Logic web console URL from your browser and paste it into the Sumo Logic URL field. The link should contain the deployment region.

  5. Set the start and end times of the query time range.

  6. Optionally, choose a Config for alternative translations and set up a Custom Field Mapping profile to use by default in Quick Hunt.

  7. Click Save Changes.

  8. Check the connection status of your environment integration on the Environments page.

Continuous Content Management

Logging Improvement

To make Job debugging easier, we've introduced logs of additional events, making logging more detailed:

  • New events logged for deployment Jobs:

    • Job started

    • Start of deploying

    • Authorization failed (for each content item where applies)

  • New events logged for Inventory synchronization Jobs:

    • Job started

    • Job finished

    • Credentials error

Layout Enhancement

We've reduced the empty space under the page titles to make the layout more balanced.

Run Now

We've improved the displaying of the Run Now item in the context menu for Jobs. Now, it is available as soon as the Job is created and enabled.

Updated Field Names for Carbon Black

To ensure compatibility with Carbon Black Cloud, we've updated the default field names for Carbon Black queries generated in Uncoder CTI:

  • Source IP → netconn_local_ipv4

  • Destination IP → netconn_ipv4

  • Domain → netconn_domain

  • URL → netconn_domain

  • Hash MD5 → hash

  • Hash SHA-256 → hash

Check Connection

We've added a Check Connection button to the context menu of the integration environments in the Environments section. This ensures the user can check the connection to their environment at any time without waiting for the automatic check that runs on a schedule.

The button checks the connection for the CCM (API Deploy) integration and is available for the following platforms:

  • Microsoft Sentinel

  • Elastic Stack

  • Humio

  • Sumo Logic

  • Chronicle Security

If the connection is healthy, you'll see a confirmation popup at the top of the screen.

The updated connection status will be displayed in the Status column. Hover over the status to see the time of the most recent check.

If the check shows there's no connection, you'll see a modal warning about the failure and providing its reason.

In this case, the status is Disconnected. Hover over it to see the time of the most recent check and the reason for failure.

UI Improvements

Required Fields

We've updated the integration environment setup modal for Elastic Stack, marking the Kibana Login and Kibana Password fields as required. If the user leaves them empty, a validation error message is shown.

Prompt in Quick Hunt

We've updated the feedback prompt in Quick Hunt, removing the text that referred to a deprecated functionality.

Upgrade Page

We've improved the Compare Plans table on the SOC Prime Platform and my.socprime.com to make it more clear what rules are available for hunting in Quick Hunt.

Guides in New Tab

To improve usability, the Platform Guides now open in a new tab.

Platform Guides Update

We've updated our Platform Guides to ensure they reflect the most recent functionality.

Additionally, we've published a dedicated article on using Continuous Content Management with Splunk.

Cyber Threat Search Engine Improvement

Now, when you click Latest Content Updates, the page with the search results shows the exact period during which the displayed content was released. Currently, it's the last 30 days.

Cookies on Uncoder.IO and CTI.Uncoder.IO

We've added cookies to Uncoder.IO and CTI.Uncoder.IO and, accordingly, introduced the Cookie Policy.

Now, to start using either of these tools, you first need to accept cookies.

We recommend learning more about the cookies by clicking Cookie Settings.

If you wish to revise the Cookie Policy, you can always find it in the footer.

Key Bug Fixes & Improvements

With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:

  • Resolved an issue with Microsoft Sentinel rule deployment where the value of the techniques parameter was not transferred successfully.

  • Fixed a bug with connection check during Onboarding. Previously, if the user chose the Lookup via API option at the Log Source stage and entered valid credentials, in some cases an error message was shown while the connection was healthy.

  • Fixed a bug with deploying queries to Sumo Logic where a query that contained only an event_id failed to deploy.

  • Resolved an issue where, in some cases, translations of Sigma rules with the content type query were generated for Google Chronicle Rule instead of Google Chronicle Query.

  • Improved error handling for Quick Hunt queries that are too long to be passed via a URL. Now, instead of a 404 error, we display a modal and enable the user to copy the query to the clipboard and paste it manually in their platform.

  • Updated links to Platform Guides in various tooltips and modals.

Did this answer your question?