August 24, 2022
© 2022 SOC Prime Inc.
All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
Redesigned Platform Navigation
We've redesigned navigation panel and home page, reorganizing some elements of the SOC Prime Platform and renaming element groups. This streamlines the platform structure and makes it more intuitive.
Now, the elements are grouped as follows:
Content (ex Discover). Search for detection rules, queries, and other content using the view that best suits your preferences:
Advanced Search
Detection Engineering
MITRE ATT&CK®
Hunt. Hunt for the latest threats in one click and generate performance-optimized IOC queries you can launch in your environment:
Quick Hunt
Uncoder CTI
Automate. Stream detection content into your SIEM, set up integrations, and create profiles to customize rule code or tailor search results:
Continuous Content Management
Environments
Custom Field Mapping
Search Profiles
Analytics (ex Manage). Track and benchmark your Platform utilization as well as analyze coverage and monitor gaps:
Dashboard
Log Source Coverage
MITRE ATT&CK Coverage
Leaderboards
Learn, Collaborate, and Personalize elements are now available through icons in the upper right corner:
Help Center:
All things learning
Collaborate:
Links to our Slack community and Threat Bounty Program as well as links to our social media accounts
Profile:
Your account settings
Additionally, we've moved the content search bar to the header. This ensures you can search for detection content while on any page of the Platform.
Microsoft Sentinel Integration Improvement
We've improved the Hunt (Web Search) integration with Microsoft Sentinel to ensure it works for all types of environments. Now, the link to the environment should contain four essential parameters:
Subscriptions
Resource Groups
Providers
Workspaces
We've added a short instruction on where to copy the link with all required parameters. You can find it in the tooltip for the URL field.
If you've already set up a Microsoft Sentinel environment profile for hunting, please, update the link according to the new instructions. This will ensure the integration is always operational.
New Offerings on the Upgrade Page
Professional Services
We've extended the Upgrade page with a Professional Services block. Click Check Details to learn about the services we offer.
Set the checkboxes next to the services you're interested in and click Ask For Services.
Our expert will reach out to you shortly.
Bundles
To expand the options available to our users, we've created bundles with the On Demand subscription plan. Now you can benefit from its utmost flexibility combined with the expertise we offer as Professional Services.
Improvements on the Upgrade Page
Why Upgrade Popup
We've added Why Upgrade popups that highlight the benefits of On Demand and Enterprise subscription plans.
Click Why Upgrade for the selected plan to show a concise value proposition and instantly realize the plan's strengths.
Wording Improvement
To highlight our subscription plans' value, we've improved the wording of their key benefits listed on the Upgrade page.
GitHub Integration Beta
With this release, we've launched a beta of GitHub integration. This integration enables security professionals to push detection content to a repo rather than deploying it directly, making the SOC Prime Platform part of their CI/CD flow.
You can push content to your repo:
Manually from a rule page. The Deploy to Repository button is shown on the rule page for content platforms you selected during your environment setup.
Automatically via Continuous Content Management. Set up a Job that will push the content of your choice to your repo. For your GitHub environment to become available in the Environment field in the Job settings, first select Platform and Content Type that match the values you've set in the Content Platform field during environment setup
The GitHub integration supports the following content formats:
Microsoft Sentinel Rule
Microsoft Sentinel Query
Elastic Detection Rule
Elastic Watcher
Elastic Saved Search
Chronicle Security Rule
Humio Alert
Splunk Alert
Sumo Logic Query
LimaCharlie
Currently, GitHub integration is not available by default. If you want it enabled for your company, please reach out to your SOC Prime Customer Success Manager.
To set up your integration environment once this feature is available to you, go to Integration > Environments and do the following:
Click the Create Profile button in the upper right corner of the screen.
Name your profile.
Select GitHub as your platform in the dropdown.
Choose if you want to share this integration environment with your team.
Fill in the required fields:
Repository: Provide the name of your repository
GitHub Token: Provide your personal access token. You can learn how to create it here
Source Branch: The name of the branch to pull content from
New Branch: The name of the branch to push content to
Set the Show Advanced checkbox if you want to make optional advanced settings
Assignee: The name of the GitHub user pull requests are assigned to
Label: Add a GitHub label that will be attached to pull requests
Auto Merge: Choose whether you want to merge pull requests automatically
Auto Delete Branch: Choose whether you want to automatically delete the branch after the pull request is merged (when Auto Merge is enabled)
Commit Message Template: Provide a template for a commit message
Path to Upload: Provide the path to the folder the content should be uploaded to. If no value is entered, the root folder indicated in the New Branch field is used
Download Path: Provide the path to the folder the content should be downloaded from. If no value is entered, the root folder indicated in the Source Branch field is used
File Formats: Choose file formats of the content you're going to push to your repository
Click Save Changes.
Check connection to your environment on the Environments page:
Click the More icon for the created environment profile
Select Check Connection
Note:
In Inventory, when you select a GitHub environment:
Enable and Disable buttons are grayed out since the rules are pushed to the configured repo rather than deployed
Two additional columns are shown: Platform and Type
Warning about Disabled Inventory
In Continuous Content Management, we've added a check that shows a warning if the user enables a Job associated with a disabled Inventory. The warning informs the user that with a disabled Inventory it's impossible to control for duplicates in their SIEM automatically.
What's New Popup
We've introduced a What's New popup powered by Intercom. It shows key updates of the most recent release and contains a link to the full Release Notes. The popup is shown once, the first time the user logs in after the release.
Cyber Threat Search Engine Improvement
We've added a short delay before showing the tooltip when the user hovers over an item. It improves the user experience and ensures there's enough time to look at all the UI elements around.
Report Download
We've improved the report download feature on the Dashboard page, making the download substantially faster.
UI Improvements
Hints for Author Names
To ensure the full name of a rule author can always be displayed in the MITRE ATT&CK® view, we've added a hint that shows the full name upon hovering an item in the Author dropdown.
Updated GIFs
We've updated GIFs shown to newly registered users if they were not linked to their organization automatically and, accordingly, have no access to some functionality.
Additionally, we've changed the messages under the GIFs to explain to the users that the functionality will become available after verification.
Platform Guides Update
We've updated our Platform Guides to make sure they contain all info you may need to use the SOC Prime Platform successfully.
Key Bug Fixes & Improvements
With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:
Removed an outdated popup related to a deprecated feature in Quick Hunt.
Fixed a bug where the page got blurred if two popups were promptly closed in a row. The bug appeared on the rule and preset pages.
Removed the How to Get Credentials link from the Carbon Black integration setup modal. The link led to a popup with instructions for a different platform.
Resolved an issue where a wrong Updated date sometimes was shown for updated Chronicle Security Rules.
Fixed a bug with Jobs that deploy Inventory Content Lists. Previously, when the Use Default Custom Field Mapping based on Log Source checkbox was set in the Job settings, empty mapping values could be applied. To prevent this case in the future, we've introduced a check for the Content List type before applying mapping as part of the Job. If the type is Inventory, the default Custom Field Mapping based on log source is not applied. Accordingly, to use mapping with an Inventory Content List, you need to clear the Use Default Custom Field Mapping based on Log Source checkbox and select a Custom Field Mapping profile.
Updated the spelling of Kyiv in the Timezone dropdown of the CCM (API Deploy) integration setup for Sumo Logic.
Updated the CTI.Uncoder.IO page to enable redirection to the main website page (socprime.com) when the SOC Prime logo in the upper left corner is clicked.
Aligned input fields and field labels on the Create New Environment Profile popup opened from Quick Hunt.
Fixed a bug where the Delete Rule Preset? popup did not close after clicking Delete.