Skip to main content

SOC Prime Platform Product Release Notes 5.7.2

S
Written by Sergey Bayrachny

April 7, 2023

© 2023 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

Content Quality Improvement

With this release, we've added support for the windash modifier in Sigma rules. The modifier expands parameter characters / and - that are often interchangeable in Windows into the other form if it appears between word boundaries. For example, in -param-name the first dash will be expanded into /param-name while the second dash is left untouched.

Also, we've enhanced the quality of translations into the following platform formats.

Chronicle Security

We've added support for translations of Sigma rules that include date and time.

Elastic Query

We've improved the translation of Exclude logic for this platform format. Now, a Sigma rule with this type of condition:

detection:
    selection_eid:
        EventID: 4648
    filters:
        - Image|contains:
            - 'AAA'
        - Image|contains|all:
            - 'BBB'
            - 'CCC'
    condition: selection_eid and not filters

will be translated with the following syntax:

winlog.event_id:"4648" AND (NOT ((process.executable.text:*AAA*) OR (process.executable.text:*BBB* AND process.executable.text:*CCC*)))

Microsoft Defender for Endpoint

We've improved the logic of generating translations depending on whether the fields from the original Sigma rule are supported or not supported for this platform.

Splunk Query

We've ensured that index=* is added to queries with appropriate log sources in the original Sigma rule.

Uncoder AI

Reverse Translations from Splunk Query

We've added support for reverse translations from Splunk Query. Now, you can translate Splunk Queries to any supported target format.

Translation into OSCF

We've added support for translation from a default data schema to OSCF for the following platforms formats:

  • OpenSearch Query

  • OpenSearch Rule

  • Elastic Rule

  • Elasticsearch Query

  • Humio Alert

  • Humio Query

  • QRadar Query

  • Snowflake Query

  • Splunk Alert

  • Splunk Query

  • Sumo Logic Query

Premium Sigma Rules in Uncoder AI

We've expanded the content accessible via Search by adding premium Sigma rules published in the Threat Detection Marketplace. Now, security experts can leverage the full potential of the world's largest collection of Sigma rules.

To get the code of a premium Sigma rule, hover over it and click Unlock. The rule will be unlocked using your team's premium Sigma rule balance and will become available to your team across the SOC Prime Platform.

UX Improvements

We've added a tooltip informing the user that their reverse translation balance is empty.

Attack Detective

Support for Splunk Cloud

We've added support for Splunk Cloud in Attack Detective. Currently, this functionality is in beta. If you have any feedback, reach out to us in the live chat.

To scan your Splunk environment, first set up its integration configuration in Environments.

  1. Go to Automate > Environments.

  2. Click Create Profile.

  3. Name your environment, choose if you want to share it with your teammates, and select Splunk as your platform.

  4. Select Attack Detective as the place to use the environment.

  5. Fill in the required fields:

    • Splunk URL (the URL of your Splunk web console that you can copy from your browser. It should contain the hostname and port number (unless the default port 443 is used))

    • Splunk Username

    • Splunk Password

    • Splunk API URL

  6. Optionally, set Default Custom Field Mappings.

  7. Click Save Changes.

When your environment is set up, add it during the new investigation configuration in Attack Detective.

Hit Count on the Heat Map

To improve the user experience on the heat map, we've moved the hit count from the cell itself to the tooltip displayed upon hovering over the cell.

Date Format on the Heat Map

To make the heat map more informative, we've updated the date format displayed for each column when a column represents a week to mm.dd-mm.dd.

Warden Checks

We've improved Warden checks that are used to automatically validate Sigma rule syntax and structure in Threat Bounty Portal, Uncoder AI, and Uncoder IO.

Now, a condition component with a wildcard, such as:

 condition: all of selection*

successfully passes validation if it matches the detection component. So, the condition in the example above will pass the validation if the detection is of the following type:

detection:
  selection1:
    ImageLoaded|endswith: 123
  selection2:
    ImageLoaded|endswith: qwe

Nomination Prompt

We've temporarily added a modal prompting users to nominate SOC Prime as a rising PLG star in OpenView's PLG Next 50.

In appreciation of nominating, the user gets a promo code for 3 premium Sigma rules.

UI Improvements

Home Page

We've updated the confirmation message that appears after the user requests to change their company's industry. The updated wording is intended to set clear expectations as to what's going to happen next.

Filters

We've removed the outdated Executor Name filter from Advanced Search and Detection Engineering.

Threat Bounty Portal

We've updated the SOC Prime Threat Bounty Program Terms and ensured that the document is correctly referenced throughout the Threat Bounty Portal.

Platform Guides

We've updated the Platform Guides to reflect the most recent functionality of the SOC Prime Platform and added a dedicated Guide for Uncoder AI.

Key Bug Fixes & Improvements

With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:

  • Removed a duplicate review on socprime.com

  • Fixed a layout bug in Attack Detective where a tooltip in some cases could be partially shown outside the visible screen space

  • Resolved an issue where after a user session timed out on a Cyber Library page, the user in some cases was directed to a wrong page when they logged in again

  • Fixed a bug in Attack Detective where pausing a scan did not stop the scan duration counter shown in the UI

  • Fixed a bug in Attack Detective where in some cases an investigation in a Microsoft Sentinel environment with wrong credentials in configuration finished with an empty Data Audit page instead of the Progress page displaying an error

Did this answer your question?