Skip to main content

SOC Prime Platform Product Release Notes 5.4.5

S
Written by Sergey Bayrachny

December 14, 2022

© 2022 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

Exclusive Access Promotion

We've started a promotion that enables security professionals to get Exclusive Access to a Sigma rule with the Wait to Unlock status for only $89.

With this offer, you can use Sigma rules that are not available under your subscription plan yet. Go to the page of the rule you are interested in and click Get Exclusive Access.

Purchase the Exclusive Access via Stripe without leaving the page, and the rule will be automatically unlocked. The access lasts for 1 year and is granted to all users from your organization.

MITRE ATT&CK® Update

To keep up with the latest cybersecurity insights, we've updated the MITRE ATT&CK framework version used on the SOC Prime Platform to 12.1.

Improved Integration with Microsoft Defender for Endpoint

To ensure that integration with Microsoft Defender for Endpoint works properly, we've updated the default link used for the web search in this platform.

Improved Translations into Microsoft Sentinel and Microsoft Defender for Endpoint

To ensure high-quality translations into these platform formats, we've updated the escaping syntax removing redundant backslashes before quotes. For example:

ProcessCommandLine =~ @'\"net.exe\" accounts'ProcessCommandLine =~ @'"net.exe" accounts'

Continuous Content Management Improvement

History Tab

We've introduced multiple improvements on the History tab of Continuous Content Management:

  1. Updated column names to make them more succinct:

    • CONTENT LIST → LIST

    • CUSTOM FIELD MAPPING → CFM

    • CONTENT COUNT → COUNT

  2. Added the MESSAGE column that shows the success/failure message for the Job. If the message is truncated, you can view its full version by hovering over it.

  3. Made the Lucene search bar longer.

Presets for Elastic Rule Alert

We've added the Output Index field to the Presets for Elastic Rule Alert. This setting allows the user to customize the value of the output_index parameter in the rule code.

Custom Field Mapping Improvements

Settings for Splunk

We've substantially enhanced Custom Field Mapping capabilities for Splunk. Now, on the Index tab, in addition to the index itself you can customize the source as well as a specific field and its value.

To use the full potential of the capabilities, you can apply the following syntax:

  • Index and Source

    • If the DEFAULT VALUE is empty and the CUSTOM VALUE is filled, index/source is replaced with the CUSTOM VALUE input.

    • If you set the DEFAULT VALUE to *, any values of the index field will be replaced with the CUSTOM VALUE input.

    • If the DEFAULT VALUE is filled and the CUSTOM VALUE is empty, both the specified field and its value will be removed (if you set the DEFAULT VALUE to *, all index/source names and their values will be removed).

    • If you use field=value pattern in the CUSTOM VALUE, both the field name and its value will be replaced with your input

  • Other Field & Value. Configure the field name to be replaced or use the field=value pattern.

Application in Quick Hunt

We've improved the application of the Default option for Custom Field Mapping in Quick Hunt. Now, if no Custom Field Mapping profile is linked to the selected environment, a non-linked profile with the Make Default setting enabled and matching log sources is applied.

Application to Aggregations

We've updated the Custom Field Mapping application logic so that replacements also apply to aggregation functions if they are present in the Sigma rule.

Detection Engineering Improvement

To improve the usability of the Detection Engineering module, we've removed the vertical scrolling in the Sigma rules pane, keeping only the main scrolling on the page. In addition, when the user scrolls down, the filter panel now stays at the top.

New Tooltip for Premium Sigma Rule Balance

We've updated the tooltip displayed upon hovering over the Premium Sigma rule balance. Now, it includes a button that opens the Upgrade page so that the user can easily top up their organization's balance.

Platform Guides

We've updated our Platform Guides in accordance with the new functionality of the SOC Prime Platform.

Key Bug Fixes & Improvements

With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:

  • Made it impossible for users to cancel sharing of a Custom Field Mapping profile created and shared by someone else from their team.

  • Fixed a bug where in some cases suggestions in the search bar did not appear while there was content matching the request.

  • Resolved issues with creating and editing Custom Field Mapping profiles for Snowflake where a 500 error (Internal Server Error) was returned in some cases.

  • Fixed a bug with Custom Field Mapping where the new value was duplicated when the original value (left empty in the CFM profile) contained multiple words.

  • Fixed a bug where a Preset manually selected on a Sigma rule's page was applied for several seconds and then the original code appeared again.

  • Added validation error messages to Sigma Product, Service, and Category fields in the Custom Field Mapping settings.

  • Fixed bugs with deploying Microsoft Sentinel content via a Job in Continuous Content Management:

    • A bug where in some cases an error "Unable to serialize" occurred.

    • A bug where the same rule sometimes could be deployed multiple times while there were no updates in its code.

  • Resolved an issue with the Content Action State filter in Advanced Search where the content was not filtered by the selected state.

  • Fixed a bug where after clicking view more in the Authors filter in Advanced Search, the list of authors was not displayed in full.

  • Fixed the layout issue with content blocks in the Recommended section on Snort Rule and Yara Rule pages.

  • Fixed a bug in Advanced Search and Detection Engineering where the number of items per page selected by the user was sometimes reset during the session.

  • Removed Snort and Yara rules from the Platforms section in search bar suggestions to avoid cases where the user selects a suggestion and sees that actually it corresponds to no search results.

  • Resolved an issue in Log Source Coverage and MITRE ATT&CK® Coverage where drilling down to Advanced Search did not work if the links were too long.

  • Added error handling in UI for the Check Connection feature in Environments. Previously, an infinite loading screen could display if the server returned an error. Now, an error message is shown to the user.

  • Made only Latin characters allowed in the name when the user registers at the SOC Prime Platform or applies for the Threat Bounty Program.

  • Fixed pagination in the mobile view of Detection Engineering where the first page was not displayed in some cases.

Did this answer your question?