Skip to main content

SOC Prime Platform Product Release Notes 5.4.4

S
Written by Sergey Bayrachny

November 30, 2022

© 2022 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

Authentication with Slack and Atlassian

As part of our effort to streamline logging in and signing up flow, we've added authentication with Slack and Atlassian accounts.

To log in to an existing SOC Prime Platform account, use your Slack or Atlassian account associated with the same email.

To create a new SOC Prime Platform account, use your Slack or Atlassian account associated with the email you want to use for your SOC Prime Platform account.

Note that you can only use a work email.

Content Quality Improvements

Microsoft Sentinel

To ensure correct translation into this platform's format, we've introduced several updates:

  • Improved the conversion logic for filters in Sigma rule conditions of the following type:

    • C AND NOT (A OR B)

    • A AND NOT ((B AND C) OR (D AND E))

  • Improved translation logic for the aggregation count function ensuring that it has a field name as a parameter when distinct values in this field need to be counted and that a timeframe parameter is rendered correctly. For example:

    summarize dcount(DestinationIP) by SourceIP, bin(TimeGenerated, 24h) | where dcount_DestinationIP > 10

Microsoft Defender for Endpoint

We've introduced several updates:

  • Improved the conversion logic of filters in Sigma rule conditions of the following type: A AND NOT ((B AND C) OR (D AND E))

  • Ensured that the EventID field of the original Sigma rule is not included into the translation.

Splunk Alerts

Enhanced Info

We've added more info to the Splunk Alerts automatically translated from Sigma rules:

  • action parameters:

Parameter

Description

actions

Value is risk,notable for any Sigma rule

action.risk

Value is 1 for any Sigma rule

action.risk.param._risk_object_type

Value is user for any Sigma rule

action.risk.param._risk_score

Corresponds to Sigma rule's level:

  • low = 25

  • medium = 50

  • high = 75

  • critical = 100

action.correlationsearch

Value is 0 for any Sigma rule

action.correlationsearch.enabled

Value is 1 for any Sigma rule

action.notable.param.rule_title

Sigma rule's title

action.notable.param.rule_description

Sigma rule's description and ID

action.correlationsearch.label

Sigma rule's title

action.correlationsearch.annotations

MITRE ATT&CK® techniques mapped to the Sigma rule

Backslash Escaping

We've improved backslash escaping in registry and file paths ensuring that every backslash is escaped. For example:

TargetObject="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\*"

OR with Modifiers

We've updated the conversion algorithms to prevent cases where an OR operator is missing in the translation if the original Sigma rule's filter includes a modifier. For example:

source="WinEventLog:Security" AND ((EventCode="4624" AND LogonType="10") AND NOT ((IpAddress="10.*" OR IpAddress="192.168.*")))

Redundant Whitespace

We've removed a redundant whitespace in the AND NOT operator. The whitespace did not affect the translation in any way.

Humio Query

We've introduced several updates into Humio Query translations:

  • Improved the syntax removing the redundant pipe character that in some cases was present at the end of the query.

  • Added quotes around field values specified using regular expressions. For example:

    exe="//usr/s?bin/.*sh/"

MITRE ATT&CK® Framework Update

To keep up with the latest cybersecurity insights, we've updated the MITRE ATT&CK framework version used on the SOC Prime Platform to 12.0. You can find the list of changes here.

Custom Field Mapping Improvement

We've introduced substantial improvements to the Custom Field Mapping functionality:

  • Enhanced the process of applying the Custom Field Mapping profiles to improve the performance of a rule's page. Now, when the user opens the Code tab, only the default profile for the selected platform is loaded automatically.

  • Added the possibility to link multiple log source products to a single Custom Field Mapping profile.

  • Updated the mechanism of defining log sources. Now, you can define log sources either on the Log Source tab by selecting relevant log source products or on the Sigma tab using values of Sigma Category, Product, and Service fields.

    If you fill the Sigma tab, the following logic is used to match the selected values with parameters of Sigma rules to apply the mapping: any of Sigma products AND any of Sigma categories AND any of Sigma services.

CTI.Uncoder.IO

To improve the accuracy of IOC query generation, we’ve updated the domain parsing rules to correctly exclude the [ ] symbols around @.

Cookie Settings

We've updated the Cookie Settings modal for Uncoder.IO and CTI.Uncoder.IO with the relevant list of cookies in use.

UI Improvements

Upgrade Page

We've updated the information on the availability of Quick Hunt and Uncoder CTI under different plans according to the current subscription model.

Professional Services Modal

We've introduced minor improvements to the layout of the Professional Services modal to make it more balanced.

Cyber Threat Search Engine

To ensure the new design of socprime.com fits any device, we've implemented the adaptive layout.

Platform Guides

We've updated our Platform Guides in accordance with the new functionality of the SOC Prime Platform.

Key Bug Fixes & Improvements

With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:

  • Fixed alignment of name tags on the Info and Examples tabs of the MITRE ATT&CK Info modal.

  • Fixed links in modals that appear after clicking a MITRE ATT&CK technique, sub-technique, tool, or actor on the Intelligence tab of a Sigma rule. Now, the links to a technique or sub-technique open the technique or sub-technique in the MITRE ATT&CK module, and links to a tool or actor open a modal with details.

  • Fixed an issue with the color of the Content Pack version dropdown. We've replaced the white color with the shade of gray used in other dropdowns throughout the Platform, making the style consistent.

  • Improved the flow of unsubscribing from our newsletter. Now, if the user tries to unsubscribe by clicking an invalid link in the email, they see a corresponding message with a prompt to turn email notifications off manually.

  • Updated the description of the CSV export option in Log Source Coverage and MITRE ATT&CK Coverage, indicating that a semicolon is used as a separator.

  • Resolved an issue where in some cases after opening the Code tab two versions of the rule's code were displayed simultaneously for a short time: the original one and one with a config applied.

  • Fixed a bug where an error was displayed after using a correct 2FA code if the user was already logged in in another browser.

  • Resolved an issue where an error message was displayed after trying to enable a Job for Splunk while the Job was successfully enabled.

  • Fixed a bug in Quick Hunt where in some cases clicking the Hunt button with a default Custom Field Mapping applied could result in an Internal Server Error.

  • Resolved an issue where some fields in Presets were not applied to Splunk Alerts via API.


Did this answer your question?