Skip to main content

SOC Prime Platform Product Release Notes 5.3.9

S
Written by Sergey Bayrachny

September 21, 2022

© 2022 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

Self-Service Upgrade

To streamline the process of upgrading to an On Demand plan, we've integrated the SOC Prime Platform with Stripe. Now, you can make a self-service upgrade without leaving the Platform.

In addition, all order customization options, including the payment method, are now available directly in the Stripe modal. This makes ordering an On Demand plan even more simple and convenient. After the purchase, you'll have your plan activated automatically right away.

Linking Custom Field Mapping Profiles to Environments

We've introduced an ability to link multiple Custom Field Mapping profiles to a platform environment set up for integration. The linked profiles will be automatically applied to Sigma rule translations with matching log sources in Quick Hunt and CCM for the corresponding environment.

This improvement will come in handy when you have multiple environments with different data schemas.

Now, there are two ways to link a Custom Field Mapping profile to an environment:

  1. In the Environment setup.

    1. Click the Default Custom Field Mappings dropdown on either tab and select all the profiles you want to link to this environment. The selection will be propagated to the corresponding field on the other tab.

    2. After that, if you open any linked Custom Field Mapping profile's settings, you'll see the assigned environment in the Select Environments field.

  2. In the Custom Field Mapping profile setup.

    1. Click the Select Environments dropdown in the Custom Field Mapping profile setup modal and select all environments you want to link this profile to.

    2. After that, if you open any linked environment's settings, you'll see the assigned Custom Field Mapping profile in the Default Custom Field Mappings field on either tab.

Application in Quick Hunt

To leverage the linking of Custom Field Mapping profiles to Environments in Quick Hunt, select the Default option in the Custom Field Mapping dropdown.

Custom Field Mapping profiles will be applied as follows:

  • If there are Custom Field Mapping profiles linked to the currently selected environment

    • The profile that matches the log sources of the Sigma rule is applied

    • If there're several profiles that match the log sources of the Sigma rule, the most recently created/edited one is applied.

  • If there are no Custom Field Mapping profiles linked to the currently selected environment, the profile that is made default but not linked is applied as long as it matches the log sources of the Sigma rule

  • If there are neither profiles linked to the currently selected environment no profiles made default (or none of them matches the log sources of the Sigma rule), no mapping is applied

You can always select a Custom Field Mapping profile manually. The option you've chosen in the Custom Field Mapping dropdown is retained across sessions.

Application in Continuous Content Management

If you set the Use Default Custom Field Mapping based on Log Source checkbox when setting up a Job in Continuous Content Management, mapping profiles are applied as follows:

  • If there are Custom Field Mapping profiles linked to the environment selected in the Job settings

    • The profile that matches the log sources of the Sigma rule is applied

    • If there're several profiles that match the log sources of the Sigma rule, the most recently created/edited one is applied

  • If there are no Custom Field Mapping profiles linked to the environment selected in the Job settings, the profile that is made default but not linked is applied as long as it matches the log sources of the Sigma rule.

  • If there are neither profiles linked to the environment selected in the Job settings no profiles made default (or none of them matches the log sources of the Sigma rule), no mapping is applied

If you clear the checkbox, the mapping profile to be applied can be selected manually.

ArcSight Environment Settings

We've added the Default Custom Field Mappings dropdown to the ArcSight environment setup modal. Now, security professionals using this platform with a non-standard data schema can automatically tailor Sigma rule translations to their specific field and data location names in Quick Hunt and CCM.

Legal Documents Updated

We've updated the legal documents regulating the use of our products and other aspects of interacting with them:

Continuous Content Management

Redundant Modals Removed

We've streamlined the user experience by removing some redundant confirmation modals. These modals have been replaced with popups that provide the action confirmation, but disappear on their own and do not require any additional interaction.

In particular, we've removed modals that showed after editing a rule inside an Inventory Content List or deleting a content item on the Inventory tab.

Global Content Lists Order

We've updated the default order of the Global Content lists. Now, they are sorted by Last Updated.

If you select a different sorting, the changes are retained.

Red Tests Updated

To ensure you have access to the most relevant attack simulations, we've updated Red Tests available on the SOC Prime Platform by synchronizing them with the Red Canary repo on GitHub.

UI Improvements

Sub-Technique IDs

We've replaced hyphens with periods in the MITRE ATT&CK® sub-technique IDs to make them match the conventional MITRE formatting.

Upgrade Page

We've updated the list of key features for the Community subscription plan. Now, it includes a point about the 3-day waiting time.

Unlocking Confirmation

To make the unlocking confirmation modal less intrusive, we've changed its behavior to show only the first time a user unlocks a Sigma rule. The modal prompts if the user wants to unlock the rule and informs that all the following rules will be unlocked without extra confirmation.

This behavior has been implemented both on a rule's page and in Quick Hunt.

Cookie Policy Popup

We've updated the popup at socprime.com offering the user to accept our Cookie Policy or check cookie settings.

Platform Guides Update

We've updated our Platform Guides so they reflect the latest functionality.

Key Bug Fixes & Improvements

With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:

  • Fixed a bug where for several free rules certain translations were not available for free. This issue was related to wrong statuses being assigned to the affected translations.

  • Improved the Custom Field Mapping application logic for Splunk queries with datamodel config. Now, the Index is incorporated in the where section.

Did this answer your question?