January 11, 2023
© 2023 SOC Prime Inc.
All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
New Home Page
We've introduced a new Home Page. It's an all-in-one starting point to quickly check out new content relevant to your team and get insights into your content usage over time and compared to your industry.
Dashboards
The upper part of the page includes Dashboards displaying key information about your company's Content usage. The insights are updated twice a day.
Company Rank
The current rating of your company in its industry by the amount of Content in use. While this metric is purely based on volume, it may indirectly indicate the effort that a particular company invests in timely research and detection of the latest behaviors used in cyber attacks.
Content Usage
Insights into your company's Content usage:
In Use: the number of Content items your company has copied, downloaded, or deployed using the SOC Prime Platform
Premium: the number of available Premium Content items which your company has not copied, downloaded, or deployed yet
Free: the number of available Free Content items which your company has not copied, downloaded, or deployed yet
Usage Trend Compared to Industry
The monthly trend of Content usage by your company compared to its industry (average and top performer). This metric helps to determine if you’re dedicating enough effort and speed to researching, developing, and deploying threat detection rules and queries to understand the latest threats landscape, prepare your defenses in advance, and timely detect and respond to the latest cyber attacks.
Techniques & Sub-techniques Addressed
Insights into MITRE ATT&CK® techniques and sub-techniques mapped to the Content your company has used. Coverage is a dynamic process, as > 85% of the Content is updated during each year. Coverage indication should be used as a reflection of the team’s progress towards detecting the latest behaviors used in cyber attacks, is not static, and should not be treated as a 100% detection possibility. For more information, we recommend the M.A.D. certification available here.
Trending Searches
Top searches on the SOC Prime Platform sourced by over 30,000 users from 8,000+ companies and 155 countries. The trend is calculated based on the popularity for the last 14 days.
Recommended Content
The lower part of the page includes 7 different sorting and filtering options tailored specifically to your company. Each tab lists the top 5 Content items. To check out all Content for the selected option, click See All at the bottom of the page.
Latest Vulnerabilities. Recommended Rules and Queries to detect the exploitation of the most recent, critical, exploitable and publicly disclosed cybersecurity vulnerabilities
Log Sources. Recommended Rules and Queries which match the log sources defined in your default Search Profile
Threat Actors. Recommended Rules and Queries to detect the activity of Threat Actors (Groups) relevant to your industry and country per MITRE ATT&CK
Smoking Guns. The most stable, validated and popular behavior-based Sigma rules to detect the most severe malicious activity
Country. Recommended Content most relevant in your country, based on SOC Prime’s dynamic usage statistics across 155 countries
Industry. Recommended Content most relevant in your industry, derived from dynamic usage statistics of at least 100 companies that work in the same industry as your company
CERT Toolkit. Content to detect threats mentioned in CERT teams reports and advisories for the country where your company has its HQ
Content Quality Improvements
Microsoft Sentinel & Microsoft Defender for Endpoint
We've improved the translations of exclusion conditions defined with regular expressions to ensure that the filters used in Sigma rules are always rendered accurately in these platform formats. So, for example, this filter in a Sigma rule:
filter:
CommandLine|re: '\-[^A-OQ-Za-oq-z][^\s]*'
is now translated into:
and not (CommandLine matches regex @'(?i)\-[^A-OQ-Za-oq-z][^\s]*')
Elasticsearch
We've updated the mapping of the office365 Sigma log source service for Elasticsearch in Sigmac to ensure it's always applied correctly during translation.
Environment Connection Check
We've improved the connection check feature for Elastic Stack.
Now, when you select this platform's environment and click Check Connection in the context menu, the result of the check shows separate details for Kibana and Elastic configurations.
This ensures you can verify the connection status for each configuration individually.
Tips for Custom Field Mapping
We've added tips on using the fields on the Index tab of the Splunk Custom Field Mapping profile creation and editing modals. With these tips, you'll be able to benefit even more from the flexibility of the mapping settings.
Hunt History Improvement
Now, when clicking the Hunted label in Quick Hunt to display the hunt history, you'll see info for all users within your organization. Users with a Manager role will also be able to see the names of their team members who ran the hunts.
GitHub Synchronization Improvement
We've improved the synchronization service which ensures that all valid content from the SigmaHQ and Azure-Sentinel repos on GitHub is present on the SOC Prime Platform. Content not ready for use (for example, having no body) is not published after synchronization.
Additionally, we've ensured that all content from these GitHub repos is available for free under any subscription plan. You can find it by filtering for Git Free Access availability status in Advanced Search or Detection Engineering.
Platform Guides
We've updated our Platform Guides to cover the new functionality of the SOC Prime Platform.
Key Bug Fixes & Improvements
With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:
Improved automated checks used in the process of synchronization with SigmaHQ to prevent content duplication in the rare cases when an author submits a Sigma rule both to GitHub and through our Threat Bounty Program.
Fixed a layout bug where an option name in the Contact Us menu in some cases could overflow its box.
Resolved an issue with drilling down to threat actor details in a MITRE ATT&CK® Info modal opened from the Intelligence tab of a Sigma rule page. Previously, an attempt to open threat actor details could result in an infinite loading screen.
Resolved an issue with the link generated to run a query in CrowdStrike. In some cases, the link could include only part of the query the user tried to run.
Removed extra space in front of the
whereoperator in Microsoft Sentinel Queries and Rules. This space was present if the corresponding Sigma rule included certain log source categories.