Skip to main content

SOC Prime Platform Product Release Notes 5.6.0

S
Written by Sergey Bayrachny

February 23, 2023

© 2023 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

Uncoder.IO Becomes Something More

We've released a completely redesigned version of Uncoder.IO. It's packed with new features that can make the everyday work of many security experts easier.

Generate IOC-Based Queries

The first major update is that Uncoder.IO has been combined into one tool with CTO.Uncoder.IO. Now, you can translate Sigma rules and generate IOC-based queries using the same interface. Paste text with IOCs into the input pane or upload a file, and select IOCs in the source dropdown.

With the new functionality, you can:

  • Automatically parse IOCs (hashes, domains, URLs, and IPs) from a pasted text or uploaded file

  • Generate performance-optimized queries for dozens of security platforms

  • Copy or download parsed input and generated output

Write, Validate, and Translate Sigma Rules

With the new version, you can use Uncoder.IO as a Sigma rule editor:

  • Leverage Sigma rule templates to speed up writing the code

  • Speed up writing code with autocomplete feature that include the dictionary of entire MITRE ATT&CK®

  • Benefit from syntax highlighting

  • Hide and show code blocks to make writing/editing the rule more convenient

  • Validate the code using built-in automated checks with detailed feedback

  • Instantly translate a Sigma rule into dozens of security platform formats

Search for Sigma Rules

Use the search bar to look for Sigma rules sourced from the SigmaHQ repo on GitHub. Edit and translate the rules you've found.

Uncoder.AI Coming Soon

Security experts have long been looking for a way to automatically convert detection content between different platform formats. Finally, we make it possible leveraging our own technology and the capabilities of ChatGPT.

We are glad to announce our new tool Uncoder.AI to be released soon. It enables you to translate any source into any target with an option to employ the AI-based ChatGPT technology. SOC Prime Platform users will be able to benefit from this functionality as soon as it's rolled out.

Content Quality Improvements

We've Introduced multiple improvements in translations of Sigma rules into the following platform formats.

Microsoft Sentinel

We've made multiple enhancements:

  • Ensured that when ' is part of a value, the translation of this value is put in " ".

  • Resolved the issue where | in field values from the detection component of the Sigma rule resulted in a line break in translations.

  • Improved the syntax for queries that include AND NOT operator. This improvement has also been implemented for Microsoft Defender for Endpoint. For example:

    InitiatingProcessFolderPath endswith @'first.exe' and not FolderPath endswith @'second.exe'InitiatingProcessFolderPath endswith @'first.exe' and not (FolderPath endswith @'second.exe')

Sumo Logic

We've removed quotes around the translations of field values from the detection component of the Sigma rule. So, for example, the following Sigma code:

detection:
    selection:
        CommandLine|contains:
            - 'example'
    condition: selection

is now translated into:

CommandLine = *example*

Regex Processing for Multiple Platforms

We've updated the processing of regexes to ensure they are rendered accurately in translations for the following platforms:

  • Elastic Stack

  • Carbon Black

  • Graylog

  • AWS OpenSearch

Moving Community to Discord

As we've moved most of our community activity to a dedicated Discord server, with this release we've added the links to join the server at the Cyber Threat Search Engine.

Home Page

We've updated the Confirm Your Industry modal on the Home Page. Now, the user can send the request to change their company's industry only if an industry other than the currently set one is selected in the dropdown.

Additionally, we've improved the text shown in the modal to explain that the industry change request requires verification form the user's manager of our admin.

Cyber Threat Search Engine

We've updated the format of the Sigma rule used as an example of the Uncoder.IO functionality on socprime.com.

Author Stats on socprime.com

We've updated the mechanisms of calculating author statistics on socprime.com to ensure the accurate amount of contributed content is displayed for all authors.

UI Improvements

We've made minor changes to the texts on the Login and Signup pages:

  • Removed unnecessary capitalization

  • Improved validation error message when a personal email is used for signing up

New Customer Logo

We've added a new customer logo to the They Trust Us section on the SOC Prime Platform, Cyber Threat Search Engine, and our company website.

Cyber Library

We've updated the text and images in the Cyber Library articles to ensure they reflect the latest functionality of the SOC Prime Platform.

Platform Guides

We've updated our Platform Guides to keep them consistent with the new functionality on the SOC Prime Platform.

Key Bug Fixes & Improvements

With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:

  • Fixed a bug on Advanced Search where the Sigma rule count in some cases could be incorrect if the results were filtered by the MITRE ATT&CK® tactic Initial Access.

  • Resolved an issue with the pound sign (#) in the search query that previously resulted in the following bugs:

    • On the Home Page of the SOC Prime Platform and in the Cyber Threat Search Engine, when the user clicked a trending search that contained #, only the part of the search term before # was actually used.

    • In Advanced Search, no suggestions were shown if the search term contained #.

  • Resolved an issue with deploying content into Chronicle Security. Now, if the /n characters were unintendedly duplicated when the user copied their Private Key into the Environment settings, the duplicates are automatically removed and deployment works.

  • Fixed a bug where some elements that should have been blurred were visible for a short time in the limited version of MITRE ATT&CK Coverage.

  • Fixed alignment of the Contact Us options on the Upgrade page.

  • Improved the logic of applying Custom Field Mapping. Now, value mappings are applied only if there's an exact match. For example, if netstat is mapped to NET_STAT, this value will be replaced in CommandLine="netstat", but CommandLine="netstat -nao" will be kept without changes since the match is only partial.

  • Fixed a bug where translation into Elastic Rule in some cases could have a UUID that was different from the UUID of the original Sigma rule.

  • Fixed minor layout issues that sometimes appeared on the Cyber Threat Search Engine


Did this answer your question?