April 19, 2023

© 2023 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

We've improved the quality of Sigma rule translations into the following formats.

We've updated the mapping of Sigma rule fields when the re modifier is used, which means regular expressions are applied. Now, in such cases, corresponding Elastic fields without .text are used in translation.

We've enhanced the processing of aggregations in the reverse translations from this platform.

We've improved the processing of various logical operators and modifiers in the reverse translations from this platform.

We've added support for Amazon Athena environments in Attack Detective. Security experts can set up an integration with their Amazon Athena environment in the Environments module, and use it when configuring an investigation in Attack Detective.

To set up an Amazon Athena environment:

Once the environment is set up, you can add it when starting a new investigation in Attack Detective.

Note: the Blind Spots functionality for Amazon Athena is still in development.

We've introduced multiple UI improvements:

We've added support for emails and file names as IOC types. Now, security practitioners can automatically parse these types of IOCs and use them to generate queries in the selected platform formats.

Emails and file names are also supported in Uncoder.IO.

We've expanded Uncoder AI capabilities with a configuration menu for IOC-based queries.

To open the menu:

In the menu, you can set configurations and fine-tune the generation of IOC-based queries:

We've added support for translation between different formats of the same platform, for example from Microsoft Sentinel Query to Microsoft Sentinel Rule.

Currently, the following pairs are supported:

If you translate a query into a rule/alert, values of some parameters in the translation, such as displayName or description in Microsoft Sentinel Rule, are left empty since there are no corresponding values in the source query. Don't forget to fill them in before deployment.

We've improved the flow of unlocking a Premium Sigma rule in Uncoder AI. Now, the code of the unlocked rule is automatically inserted into the input panel.

We've introduced a Role-Based Access Control (RBAC) system to define the permissions of users on the SOC Prime Platform. This capability is only offered for Enterprise-level subscription plans.

For now, the system includes two permission levels:

By default, all users have the Can Unlock permission level. The permission level for each user on a team can be updated by the team's Manager on the My Team tab in Account Settings.

The Manager can also define what permission level will be granted to all new users on their team by default.

The Manager is able to change their own permission level as well.

If the permission level has been updated successfully, a confirmation message is displayed.

When a user with the View Only permission level tries to unlock a Premium Sigma rule (from the Sigma rule page in TDM, in Dynamic List settings in CCM, or via Uncoder AI), they see a message about insufficient permissions.

Note: Users under a Community or On Demand plan always have the Can Unlock permission level that cannot be changed. In addition, these plans do not include a Manager role on the company's team.

We've added the capability to unlock Premium Sigma rules in Continuous Content Management (CCM) module and via API. Currently, this capability is available only under an Enterprise subscription plan.

When creating a Dynamic List, you can select to automatically unlock Premium Sigma rules included in the List using your team's balance.

When you save the List, an additional confirmation modal is displayed. Allow automatic unlocking in this modal, if you agree with the flow.

Unlocking takes place before the rules from the List are deployed via a CCM Job or API.

Lists with automatic unlocking enabled have a label Auto Unlock in the Rule Count column on the Content Lists page. The first number above the label indicates how many rules from the List are available to your team. The second shows the total number of rules in the List. Hover over the numbers to see the legend and the number of Premium rules that can be unlocked.

A Dynamic List can include up to 500 rules. If you configure inclusion criteria that return more than 500 rules, only the most recently updated 500 rules are included. Accordingly, automatic unlocking will be applied only to the locked Premium rules that are included in the most recently updated 500 rules.

To see specific rules that can be unlocked for a particular List, open that List by clicking on its name on the Content Lists page. The status of each rule is shown in the Rule column.

When you link a List with Auto Unlock enabled to a Job, you can see the related warning under the List selection field in the Job settings.

Jobs linked to a List with Auto Unlock enabled have a corresponding label under their name on the Jobs page.

When you enable such a Job, a confirmation prompt is displayed.

You can check what rules have been unlocked on the History tab in CCM.

Now, users under an Enterprise plan can automatically unlock Premium Sigma rules via API.

On /v1/sigma/{rule_id}/{siem_type} and /v1/search-sigmas endpoints, an optional parameter unlock_rules has been added. If this parameter is true, locked Premium Sigma rules will be unlocked.

On /v1/content-list and /v1/ccm/jobs/{job_id}/get-content endpoints, it's now possible to unlock the Premium Sigma rules included in the Content Lists, if Auto Unlock has been enabled for these Lists in the UI.

Please, use unlocking of Premium Sigma rules via API with caution since this may result in heavy usage of your team's Premium Sigma rule balance.

Since a new version of SOC Prime CCM App for Splunk has been released, we've updated the link to the App displayed in the Environment configuration modal.

The App enables Splunk integration with the SOC Prime Platform for using Continuous Content Management. Since Splunk does not allow external access to its API, it's impossible to configure the integration directly on the SOC Prime Platform.

We've updated the SOC Prime Platform Terms of Service. You can read the updated version here.

Since Uncoder.IO now includes all the features of CTI.Uncoder.IO, we end the support for CTI.Uncoder.IO. From now on, https://cti.uncoder.io will redirect to https://uncoder.io.

If you haven't tried out the new Uncoder.IO yet, give it a go. This free tool that does not require registration can do everything CTI.Uncoder.IO was able to while offering a lot of additional features.

We've improved Warden checks that are used to automatically validate Sigma rule syntax and structure in Threat Bounty Portal, Uncoder AI, and Uncoder IO.

Now, Sigma rules with character combinations like << in the detection component successfully pass validation.

We've updated the link in the Zero Trust Architecture section on socprime.com. Now, it leads to the SOC 2 Type II Compliance page.

We've updated the Platform Guides to reflect the most recent functionality of the SOC Prime Platform. Also, we've updated the Using CCM with Splunk article to include instructions on using the new version of SOC Prime CCM App for Splunk.

With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform: