Skip to main content

SOC Prime Platform Product Release Notes 5.7.6

S
Written by Sergey Bayrachny

May 31, 2023

© 2023 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

SOC Prime Platform Redesign

Meet the updated and redesigned SOC Prime Platform, with navigation that reflects our three products: Threat Detection Marketplace, Attack Detective, and Uncoder AI.

New Home Page

On the new Home Page, you can choose the product you want to use:

  • Threat Detection Marketplace

  • Attack Detective

  • Uncoder AI

The dashboards and recommendations that previously lived on the Home Page now can be found in the overview section of Threat Detection Marketplace.

Top Navigation

You can also select the product to use in the upper left corner of the screen.

Each product has its own top navigation.

These are the components of Threat Detection Marketplace (TDM) now:

  • Overview: previous Home Page

  • Search: ex Advanced Search

  • Hunt: Quick Hunt

  • Lists: Content Lists from CCM

  • Automation: ex-Automate that includes Inventory, History, and Jobs

  • Analytics: no changes

Note that the two components have been discontinued:

  • MITRE ATT&CK® view of TDM: all its functionality is covered by filters in Search

  • Uncoder CTI: all its functionality is covered by Uncoder AI

As a reminder, all configurations that are related to the Platform as a whole (Data Planes, Custom Field Mapping, Filters, Presets, Search Profiles, and API) now live in the Account icon > Platform Settings.

Threat Detection Marketplace

Redesign

We've updated the design of Search (ex Advanced Search). In particular:

  • The search bar has been moved to the Search page from the header

  • The Search Profile selection menu has been moved to the filter section

In addition, each Sigma rule is now opened in a new tab.

Content

Remapping to OCSF for QRadar

We've improved field conversion when translating a QRadar Query based on LEEF to a QRadar Query based on OCSF.

Translation into SentinelOne

We've improved translations of Sigma rules into SentinelOne formats ensuring that all operators are properly capitalized and have camel case where required.

Translation into Snowflake

We've improved the quality of translations into this platform by resolving issues with differences in string formatting.

New Alternative Translation Options

Devo Query. We've added two new alternative translation configs: devo-network and devo-web.

AWS OpenSearch Query and Rule. We've added new alternative translation configs: ci-winlogbeat6, ci-winlogbeat7, ocsf, winlogbeat6.

Attack Detective

Redesign

We've updated the design of the Overview page.

Also, you can easily switch between the overview and your investigations using the top navigation.

Support for AWS OpenSearch

We've added support for investigations based on AWS OpenSearch Data Planes. To set up an investigation, first configure an integration with your Data Plane setting the checkbox next to Attack Detective in the integration profile settings.

Uncoder AI

We've introduced multiple improvements to Uncoder AI making it even more useful to threat hunters and detection engineers.

Personal Email Account

Now, you can sign up to use Uncoder AI with your personal email. Note that in this case, all other products on the SOC Prime Platform will be unavailable.

Personal Premium Subscription Plan

We've also added a personal Premium monthly subscription plan. You can upgrade right on the Uncoder AI page via Stripe.

An Enterprise plan is available only for users with an account linked to their work email.

Search and Intelligence

We've substantially improved the search for content available in TDM. Type your search term in the search bar and narrow down the results using filters.

Now, you can explore a rule's intelligence and metadata by clicking the tile with the rule title.

Intelligence includes three sections, Audit Configuration, False Positives, and Triage Recommendations, that are augmented with AI technologies such as ChatGPT.

After you've loaded the code of a Sigma rule from TDM, you can always see its intelligence and metadata by clicking the Intelligence button.

Autocomplete

We've improved the autocomplete feature making the suggestions even more relevant depending on the current section of the Sigma rule.

Validation

The results of the built-in validation checks are now shown to the right of the Sigma code.

Platform Selection

We've improved the input and output platform selection functionality:

  • You can mark platforms as favorites

  • In the output dropdown, only those options are displayed that are available for the currently selected input

Hotkeys

To make Uncoder AI even more convenient, we've added hotkeys for the most common actions.

Support for Snowflake

We've added support for the generation of IOC-based queries for Snowflake.

MITRE ATT&CK® Version

We've updated the version of MITRE ATT&CK used on the SOC Prime Platform and in the Cyber Threats Search Engine to 13.1. You can find the description of changes in the new version here.

Discord Channel for Emerging Threats

We've improved our channel called emerging-threats on our Discord server. Here we publish references to the latest articles, reports, and other content about the recently discovered threats. Each reference is accompanied by a list of Sigma rules that detect the corresponding activity.

Terms of Service Update

We've updated the SOC Prime Platform Terms of Service. The most recent version of the document is available here.

Threat Bounty Program

We've improved the texts of emails automatically sent to Threat Bounty Program members when they apply for the Program, create an account, and submit content.

Company Website

We've made several updates:

Key Bug Fixes & Improvements

With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:

  • Resolved several issues in Uncoder AI:

    • Fixed a bug where Crowdstrike was missing from the list of platforms for IOC-based query generation

    • Fixed a bug where the response time could be long when editing very large text with IOCs uploaded from a file

    • Improved CTAs in tooltips for unavailable content in search

    • Improved the built-in validation check of the condition Sigma rule component

    • Removed automated character replacement in the editor that, for example, turned != into

  • Fixed a bug where logs of successful content deployment in some cases were duplicated in the Job logs

  • Fixed an issue on Threat Bounty Portal where the Generate All button did not work for some time

  • We've returned the Microsoft Defender for Endpoint alternative data schema for Microsoft Sentinel translations of all Sigma rules that are also translated into Microsoft Defender for Endpoint.

Did this answer your question?