March 22, 2023
© 2023 SOC Prime Inc.
All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
Uncoder AI
We've launched Uncoder AI, a tool that makes the everyday work of detection engineers and threat hunters easier and more efficient. Code, validate, and share your detection ideas in a blink of an eye with this all-in-one tool for technology-agnostic detection engineering powered by collective intelligence and backed by Sigma and MITRE ATT&CK® as code assistants.
Uncoder AI provides three main capabilities:
Powerful Sigma rule editor with instant access to the world's largest collection of Sigma rules.
Automated detection content converter that supports dozens of SIEM, EDR, and XDR formats and optionally offers AI-powered translations.
IOC parser and query generator to turn a security report or advisory into queries ready for launching in your platform.
Powerful Sigma Rule Editor
Uncoder AI offers an IDE-style experience when writing Sigma rules:
Instead of beginning from scratch, you can:
Use a Minimal SIGMA or Full SIGMA rule template.
Get inspiration and learn from thousands of Sigma rules in our collection sourced from SigmaHQ. Type a search term in the search bar and click on one of the suggested options.
If you use a translation of a Sigma rule from our collection in your environment, we encourage you to rate its results using the Action Loop feature. This will help your peers pick the best algorithms, and you can benefit from the aggregated feedback yourself.
When writing a Sigma rule, leverage the powerful editor features:
Syntax Highlighting. The syntax in the Sigma rule code is highlighted to make it more readable, emphasize the structure, and facilitate looking for errors.
Collapse/expand. You can also collapse and expand sections of a rule. To do it, click the arrow next to the row number. To expand a collapsed section, you can also click the arrows icon on the right of the visible row.
Autocomplete. Start typing and take advantage of the autocomplete functionality with suggestions that depend on the current component of the rule.
Action buttons. Copy to the clipboard, download, or delete the input.
Click the Validate icon to run the built-in automated checks and see if there are any syntax/structure errors or places for improvement.
The results of the checks are displayed under the input panel.
The number of available checks depends on your Uncoder AI subscription.
Automated Detection Content Converter
Uncoder AI offers automated translation of detection content:
From the platform-agnostic Sigma format to any supported platform format.
Between platform-specific formats (referred to as a reverse translation). This functionality is available:
Using native Uncoder AI engine. This option produces reliable results, but the number of supported platforms is limited.
Using ChatGPT engine. In this case, Uncoder AI pre-processes the request and post-processes the response to improve the result. Yet, since the translation itself is done by an artificial intelligence model, it's impossible to guarantee a high-quality result.
Reverse translations are offered only in the premium version of Uncoder AI. The balance of reverse translations available to your team is displayed in the upper right corner.
To translate a content item:
Paste the source content item in the input panel or select a Sigma rule using the search bar.
Select the source and target formats in the dropdowns.
Select the translation engine:
Uncoder AI. Your input will be translated with our native translation technology.
ChatGPT. Your input will be sent to ChatGPT and translated by its AI technology. Uncoder AI will form a proper request and post-process the response to improve the result.
Click Translate.
Once the translation has been generated, you can copy, download, or delete it using the action buttons.
Rate the translation to help us improve the underlying technology for the selected platform pair.
IOC Parser and Query Generator
You can generate custom IOC-based queries on the fly. Uncoder AI automatically identifies IOCs in the pasted text or uploaded file, saving you a lot of time. Then you can generate queries based on the identified IOCs.
The following IOC types are supported:
Hash
Domain
URL
IP
To generate queries:
Upload a report or other file in CSV, JSON, or TXT format containing IOC data. Uncoder AI automatically identifies any IOCs in the file and highlights them with respective colors. Alternatively, you can just paste the text with IOCs into the input panel.
Select IOC as the input type.
Now you can see the number of parsed IOCs at the bottom of the input panel. Identified IOCs are color-coded in the input.
You can click the Settings icon to see additional parsing settings that are all enabled by default:
Select all — all listed options are applied
Replace (.) [.] {.} with dot
Replace hxxp with http — this functionality is case insensitive, so hXXp, HXXP, HXXp, and hXXP are replaced as well
Exclude Private & Reserved Networks — private and reserved IP addresses like 224.0.0.0/4 or 127.0.0.0/8 are ignored during IOC recognition
Select the platform format of the queries.
Click Translate. The generated custom IOC queries are displayed in the output panel and are ready for hunting in the selected platform.
Optionally, you can edit the queries, as well as copy them to the clipboard, download them, or delete them with action buttons.
Attack Detective
We've launched Attack Detective, a tool to run automated investigations in your environments using relevant Sigma rules from the world's largest collection. Verify thousands of hypotheses automatically to understand what is really happening in your organization.
An investigation includes two stages: data audit and scanning:
During the data audit, we automatically analyze log data collected in your environments to determine your MITRE ATT&CK® coverage and potential gaps in log sources.
Scanning involves querying your logs for the selected period with translations of all Sigma rules from the SOC Prime Platform that are available to you and relevant to your environments.
When the scan results are ready, review and verify them right from Attack Detective. When reviewing the results, you can see the aggregated statistics of other users' feedback on the queries, which helps you understand the potential value of a given query. Your feedback will be incorporated into the statistics as well to help other users better evaluate the queries.
Currently, Attack Detective supports the following platforms:
Microsoft Sentinel
Microsoft Defender for Endpoint
Elasticsearch
We're working on adding support for new platforms.
Attack Detective gains complete data visibility based on the organization-specific logs embracing the principle to query data in its native location. Data does not change location and there's no unnecessary duplication, which is not only very effective from the cost perspective but also aligns with Zero Trust Architecture since as a result security-related data does not change ownership and there's no inheritance of data ownership in a new data location. This is critical Zero Trust Architecture principles of least privilege and absence of inherent trust in action.
We do not collect and do not copy your data during an Investigation and calculate the count of IPs, usernames, and other identifiers based on hashes of their unique values, so your data stays where it lives and remains private.
Investigation Setup
When starting an Investigation, select the period for which to query your data and set the environments where the data lives.
You can configure integration with your environments in the Environments section of the SOC Prime Platform. When you set up an environment, make sure that Attack Detective is selected as the place to use it.
If a Custom Field Mapping profile is linked to the selected environment, it will be applied automatically during the scan.
Note:
To enable each company to check out the functionality of Attack Detective, we've added the capability to configure one environment even under a Community subscription plan on the SOC Prime Platform.
Data Audit
Data Audit enables you to check what log sources have been automatically identified in your environments and see what data components you're missing for comprehensive detection.
Visibility
This tab shows data tables automatically identified in your environments. These tables will be queried during the scanning stage.
You can fine-tune and customize the tables.
The spider chart on the left shows:
Detection Coverage: The percentage of techniques within each tactic covered by queries that can be applied to your log sources in their current state
Extended Visibility: The percentage of techniques within each tactic that can potentially be used according to your log sources found during analysis (based on MITRE ATT&CK Data Components)
Blind Spots
Check what log sources you are missing. They are broken down by MITRE ATT&CK data components.
The spider chart on the left shows:
Detection Coverage: The percentage of techniques within each tactic covered by queries that can be applied to your log sources in their current state
Full-Scope Visibility: The percentage of techniques within each tactic potentially detectable through your logs (based on MITRE ATT&CK Data Components) after implementing the recommended improvements listed on the Blind Spots tab
You can export the results of the Data Audit in the following formats:
ATT&CK Navigator
DeTT&CT .YAML
.CSV
Next Steps
You can proceed to scanning with current log sources or save the Data Audit results, add what's missing in your environments, and then resume the investigation.
Scan Results
By default, the dashboard shows the summary of the most recent scan results.
You can check the progress of the current scan by the progress bar.
On the right of the progress bar are action buttons:
See the logs of the current scan | |
Open the Data Audit stage of the current investigation |
Click the logs button on the right of the progress bar to open the scan logs.
The Complete tab shows the queries that were successfully executed. The Errors tab shows the failed queries together with the error message. For example, if you use a non-standard data schema, queries may require Custom Field Mapping.
Result Summary
The spider chart shows your attack surface in terms of MITRE ATT&CK, indicating the percentage of techniques/sub-techniques for each tactic that had hits with relevant queries in the current investigation.
Suspected Actors. Top 3 actors associated with the potential adversary activity in your environments.
Used tools. Top 3 tools associated with the potential adversary activity in your environments.
Entities at Risk. The number of accounts and assets affected by the potential adversary activity in your environments. We calculate IPs, usernames, and other identifiers based on SHA256 hashes of their unique values, so your data stays private.
Technique Prevalence. Top 3 techniques/sub-techniques associated with the potential adversary activity in your environments.
Click Examine Details to go to the scan details and process its results.
Scan Details
This page shows all the queries that had hits during the scan. To help you better understand the situation at a glance, we also provide a MITRE ATT&CK heat map.
Heat Map
It shows the intensity of the query hits over time broken down by tactics associated with the detected adversary activities. The closer to red is the color of a cell, the more hits related to the tactic were detected over the indicated time period. Hover over a cell to see the corresponding number of hits.
To see the queries that had hits during a specific time period on the heat map, click this period. To remove this filter, click the period again.
Filters by Actors, Tools, and Techniques
Use the filter panel on the left of the heat map to additionally filter the queries with hits. You can hide and show the panel with the < and > icons.
First select a tab (Suspected Actors, Tools, or Techniques), and then a specific value. This way, you can see queries associated with particular actors, tools, or techniques.
To remove the filter, click the All Actors, All Tools, or All Techniques option.
Verifying Hits
Review the results of the queries that had hits to verify them and continue your investigation in the affected environments. The queries are sorted in the recommended order that takes into account the global user feedback.
1. Click the Hunt icon to run the query in your environments for the same time period that was selected for the investigation.
After clicking the Hunt icon, select the environments in which you want to run the query. Your security platform interface will open in a new tab for each selected environment.
Note
|
2. Investigate the potential threat and assign the query a status using an icon on the right:
After clicking an icon, select the environments for which you want to assign the status. You can assign statuses individually for each environment.
Icon | Status | Color Code |
Confirmed
There's enough data and context to confirm an incident or successful simulation | Dark Blue | |
False positive
There's enough data and context to dismiss the query result as noise | Amber | |
No root cause
It's clear that the query has found something but there's no data on surrounding events or inside a specific event to make a decision on whether it was a true positive, false positive, or benign behavior | Yellow | |
Benign behavior
There's enough data to determine that the activity led to no harm and enough context to understand that the same event can be a true positive given different surrounding events (other hits) | Light Blue | |
Tuning required
The query works but needs further optimization to reduce noise or improve performance | White |
The status you assign becomes part of the global feedback mechanism involving an action loop intended to dynamically recommend most relevant queries to all users. When you rate a query you help not just yourself but your peers as well and create a massive positive network effect. Security specialists using different technologies can exchange feedback on platform-agnostic Sigma algorithms without sharing their data and without telling if they were breached.
Reverse Translations from QRadar
We've improved the capabilities for reverse translation from QRadar format that security practitioners can leverage in Uncoder AI:
Added support for keyword parsing and AQL aggregation.
Solved an issue where a log source in some cases could be placed in the
detectioncomponent of the Sigma rule.
Environments
We've made some improvements to the logic of the recently redesigned Environments setup page:
Now the Continuous Content Management and direct deployment from a Sigma rule page option is pre-selected if the user's company has either Continuous Content Management or Environments functionality enabled.
If the Attack Detective checkbox is set for an Elastic Stack environment, the required fields for Elastic configuration are shown automatically.
Recommendation Algorithms
We've improved our recommendation algorithms to ensure that each SOC Prime Platform user sees the most relevant and recent content.
Exclusive Access to a Sigma Rule
We've removed the capability to get exclusive access to a Sigma rule with the Wait to Unlock status.
Now, the only way to access Sigma rules as soon as they are released is purchasing an Instant Access (24-h SLA) add-on for an Enterprise subscription.
User Experience Improvements
We've made some improvements to the user experience:
Made the color of the stars that indicate rating consistent for all content types. Now, all stars are gray.
Updated the Code tab when the Sigma rule is not available:
Added the Upgrade button so that the user can easily go to the Upgrade page and choose a suitable subscription plan.
Made the whole area of each content item in the Similar Content block clickable. After clicking, the selected content item is opened in a new tab.
Key Bug Fixes & Improvements
With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:
Fixed a bug with sorting by content type in Advanced Search where Alerts and Queries were mixed.
Resolved an issue with Custom Field Mapping for Splunk. In some cases, if a profile with an
indexmapping was applied, thesourcefield and its value disappeared from the detection code.Fixed a bug in Environments. After editing the URL for a Microsoft Sentinel integration, in some cases the validation of the field did not work correctly and an Environment name already exists error message was displayed.
Changed the color and style of the Submit button in the Help Request modal in Onboarding to make it consistent with the design of other buttons on the SOC Prime Platform.
Fixed a bug at socprime.com and SOC Prime's website where after clicking the Community option in the top navigation menu or footer, in some cases the main page opened without scrolling to the Community section.