Skip to main content

SOC Prime Platform Product Release Notes 5.7.0

S
Written by Sergey Bayrachny

March 8, 2023

© 2023 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

Content Quality Improvements

We've made multiple improvements in translations of Sigma rules into the following platform formats.

Microsoft Sentinel and Microsoft Defender for Endpoint

  • Added @ before string values in translations of Sigma condition components where it was missing. For example, this fragment of a Sigma rule:

detection:
    selection:
        CommandLine:
            - 'example'
    condition: selection

now translates into:

where (CommandLine =~ @'example')

  • Applied in operator to translations where a list of values is present in the source Sigma rule. For example, this fragment of a Sigma rule:

detection:
    selection1:
        CommandLine:
            - 'example1'
            - 'example3'
    selection2:
        CommandLine:
            - 'example2'
            - 'example4'
    condition: selection1 or selection2

now translates into:

where (CommandLine in~ (@'example1', @'example3') or CommandLine in~ (@'example2', @'example4'))

  • Improved the syntax in translations of components with AND NOT operator. For example, this fragment of a Sigma rule:

detection:
    selection1:
        CommandLine:
            - 'example1'
    selection2:
        CommandLine:
            - 'example2'
    condition: selection1 and not selection2

now translates into:

where (CommandLine =~ @'example1' and not (CommandLine =~ @'example2'))

Chronicle Security

  • Improved the syntax in translations of components with AND NOT operator. For example, this fragment of a Sigma rule:

detection:
    selection1:
        CommandLine:
            - 'example1'
    selection2:
        CommandLine:
            - 'example2'
    selection3:
        CommandLine:
            - 'example3'
    condition: selection1 and selection2 and not selection3

now translates into:

target.process.command_line = "example1" and target.process.command_line = "example2" and target.process.command_line != "example3"

  • Made Sigma rules with the condition component of the following types non-translatable into the Chronicle Security formats:

    • selection1 and selection2 or selection3

    • selection1 or selection2 and not selection3

  • Resolved an issue that in some cases prevented the generation of Chronicle Security Query translation for a Sigma rule with contains|all modifier.

Splunk

  • Fixed cases where AND NOT operator in the translation contained a double space.

Sumo Logic

  • Improved the syntax in translations of components with AND NOT operator. For example, this fragment of a Sigma rule:

condition: selection1 or selection2 and not selection3

where product: windows, now translates into:

((_sourceCategory=*windows* AND (((CommandLine = selection1) OR (((CommandLine = selection2) AND NOT (CommandLine = selection3)))))))

  • Improved processing of OR operator combining list values with contains|all modifier. So, now the following fragment of a Sigma rule:

detection:
    selection_dll:
        ImageLoaded|endswith:
            - '\MpClient.dll'
    filters:
        - ImageLoaded|contains|all:
            - 'Program'
            - 'Files'
            - 'Windows'
            - 'Defender'
        - ImageLoaded|contains|all:
            - 'ProgramData'
            - 'Microsoft'
            - 'platform'
            - 'Windows'
            - 'Defender'
    condition: selection_dll and not filters

translates into:

("\MpClient.dll") AND !((Program AND Files AND Windows AND Defender) OR (ProgramData AND Microsoft AND platform AND Windows AND Defender))

Microsoft Defender for Endpoint

  • Updated the logic of translation generation. If a Sigma rule includes any of the unsupported fields, translation won't be generated. If a Sigma rule includes an EventID and has service: sysmon in logsources, translation will be generated without the EventID.

QRadar

  • Improved the syntax in translations of components with keywords. For example, this fragment of a Sigma rule:

detection:
    keywords0:
        - 'logdesc="Application crashed"'
    keywords1:
        - 'application: sslvpnd'
    condition: all of them

now translates into:

UTF8(payload) ILIKE '%logdesc="Application crashed"%' AND UTF8(payload) ILIKE '%application: sslvpnd%'

AWS Athena

As part of our constant effort to expand the list of supported security technologies, we've added support for a new platform, AWS Athena. Sigma rule translations are available for both standard schema and OCSF (Open Cybersecurity Schema Framework).

To filter for content translated into this platform format, use the Platform filter in Advanced Search or Detection Engineering.

We've also added this platform to the Threat Bounty Portal.

Integration Environments

Improved Configuration Flow

We've updated and simplified the process of configuring an integration environment. Now, instead of setting up each type of integration with your environment separately on different tabs, you can define all integration parameters in one place.

To see what parameters you need to specify, first select where you want to use the integration:

Depending on your choice, you'll see a set of fields to be filled out.

Chronicle Security

To simplify the configuration of an integration environment for this platform, we've returned the capability to import credentials from a JSON.

On Demand Versions Updated

To align our offerings with the needs of security experts, we've updated the available versions of the On Demand subscription plan. Now, they are as follows:

  • 50+500* rules (sigma2savelives)

  • 125 rules

  • 250 rules

  • 600 rules

CCM API Improvements

We've improved our Continuous Content Management (CCM) API architecture to make it more reliable and facilitate further development.

Also, now users can pass the default value in the mapping_name parameter to the /v1/search-sigmas and /v1/content-list endpoints to apply a default Custom Field Mapping profile to each content item in the response.

Dashboards on the Home Page

To improve the user experience, we've updated the colors used in the Content Usage and Usage Trend Compared to Industry dashboards.

Platform Guides

We've updated our Platform Guides to keep them consistent with the new functionality on the SOC Prime Platform.

Key Bug Fixes & Improvements

With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:

  • Fixed a bug where in some cases IP addresses were not recognized in Uncoder.IO.

  • Improved Leaderboards:

    • Changed label format on the time scale of the yearly Release Dynamics graph to year/month.

    • Added sorting indicators to the column names in the Top 50 Authors Statistics chart.

  • Fixed a bug in the mobile version of the Home Page where the circle with the percentage of covered techniques/sub-techniques was not displayed.

  • Resolved an issue with values in Custom Field Mapping where in some cases a new value in additional value{Old Value} format mapped to an old value for a specific field was applied to all fields rather than to the field specified in settings.

  • Fixed a bug with CCM API where in responses from endpoints /v1/content-list and /v1/jobs/{job_id}/get-content values of the tags.technique fields in rules in some cases were empty.

Did this answer your question?