Skip to main content

SOC Prime Platform Product Release Notes 5.8.2

S
Written by Sergey Bayrachny

July 26, 2023

© 2023 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

Threat Detection Marketplace

Applying Filters in the Code Tab

Now, you can apply Filters (extra conditions added on the fly to the detection logic before launching the query/deploying the rule) on the Code tab of a rule's page. Previously, Filters could be applied only via Presets as part of Automation.

Currently, Filters on a rule's page are available for the following content formats:

  • Microsoft Sentinel Query

  • Sumo Logic Query

  • Humio Query

  • Elastic Stack Query

  • Splunk Query

  • Chronicle Security Query

To manage your Filters, go to Platform Settings > Filters. To create a new filter, you can click the Create New Filter option right in the Filter selection dropdown.

Name your Filter, choose if you want to share it with your team, and define the extra conditions to be added.

Shared Data Planes in Jobs

To improve the UX during team collaboration, we've updated the way Data Planes created by other users from your team are displayed in Jobs.

On the Jobs page, the names of Data Planes created by other users are followed by the shared or not shared status.

The status depends on whether the user who created the Data Plane enabled the Share to Сompany switch in its settings.

The statuses are also displayed in the Job settings. Data Planes with not shared status are grayed out and cannot be added or removed from the Job.

Translation Improvements

Humio

We've improved the Sigma rule translations into Humio formats:

  • When a value includes the character \ it is escaped with \

  • When a field in a Sigma rule has multiple values combined by OR and is modified by contains, its translation has the following syntax:

Sigma

Humio

selection:
    CommandLine|contains:
    - cscript.exe
    - \outlook.exe
    - \powerpnt.exe

in(field=winlog.event_data.CommandLine,values=["*cscript.exe*", "*\\outlook.exe*", "*\\powerpnt.exe*"])

SentinelOne

We've improved translations from Sigma rules into SentinelOne formats:

  • Corrected capitalization of the Anycase operator

  • Improved the syntax for the IN operator

  • Added escaping for the backslash character (\)

Message for Empty Search Results

We've improved the message displayed when the user's search returned no results. Now, it offers more communication channels, and prompts the user to reach out to us for help in finding the right detection content.

Uncoder AI

Auto-Fix for Missing UUID

We've expanded the auto-fix capabilities. Now, if your Sigma rule misses the id component, you can automatically generate and add to your code a unique value of the proper format by clicking Fix for the corresponding warning in Warden.

API Endpoints

We've added the following API endpoints:

  • POST /uncoder/reverse for reverse translations

  • POST /uncoder/ioc/parse-iocs for parsing indicators of compromise (IOCs)

  • POST /uncoder/ioc/generate-query for generating queries based on parsed IOCs

Improved Flow of Opening Content

Now, when you select a Sigma rule in the search results, its code and intelligence open right away, saving you an extra click.

Attack Detective

Support for Sumo Logic

We've added support for Sumo Logic Data Planes. To run an Investigation in your Sumo Logic instance, first configure a Data Plane integration in Platform Settings > Data Planes.

  1. Click Add Data Plane.

  2. Name your profile, select Sumo Logic as your platform, and choose if you want to share the profile with your teammates.

  3. Ensure the Attack Detective checkmark is set.

  4. Fill in the fields that appeared in the Configuration section:

    • Deployment Region

    • Timezone

    • Access ID

    • Access Key

    See this article to learn how to get credentials in Sumo Logic.

  5. Click Save Changes.

Once you've set up the integration with your Data Plane, start an Investigation in Attack Detective using your Data Plane.

Support for On-Prem Splunk

We've added support for on-prem Splunk Data Planes. To run an Investigation in your on-prem Splunk instance:

  1. Configure integration with your Splunk in Platform Settings > Data Planes by creating an on-prem Splunk Data Plane.

    1. Click Add Data Plane.

    2. Name your profile, select Splunk as your platform, and choose if you want to share the profile with your teammates.

    3. Enable the On Prem switch.

    4. Insert URL of your Splunk web console that you can copy from your browser.

    5. Generate your Attack Detective API key to be used in the second step.

    6. Click Save Changes.

  2. Install the SOC Prime Attack Detective App for Splunk in your Splunk instance. This app connects your on-prem Splunk instance to Attack Detective. You can find more details on the configuration in this article.

Once you've set up the integration with your Data Plane, start an Investigation in Attack Detective using your Data Plane.

Launched Queries Calculation

We've improved the calculation of the total number of queries that are launched during an Investigation. Now, the final value is displayed at once while previously it was dynamically updated as queries were launched against different tables.

MITRE ATT&CK® Navigator

In the export from Data Audit, we've updated the MITRE ATT&CK® Navigator layer version to 4.4.

Hunting in Microsoft Defender for Endpoint

We've improved the mechanism of passing hunting queries via URL to Microsoft Defender for Endpoint. Now, the queries are passed right to the Advanced Hunting page, which enables the user to validate the hits faster.

Cyber Threat Search Engine

In the MITRE ATT&CK® View, we've made empty tactics and techniques hidden by default to help the user focus on what is covered by the search results. To show tactics and techniques without content mapped to them, click the eye icon.

Platform Guides

We've updated the Platform Guides according to the new functionality.

Key Bug Fixes & Improvements

With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:

  • Resolved issues in Uncoder AI:

    • Fixed a bug where SentinelOne translations failed to generate in certain time periods

    • Improved parsing of domains and file names with a leading slash, such as \example.com and \test.txt, for the generation of IOC-based queries

    • Improved error handling for Microsoft Defender for Endpoint translations by showing a specific reason why certain Sigma rules cannot be translated rather than a general error message

    • Fixed duplicate options in the output selection dropdown when generating queries based on parsed IOCs

    • Fixed a bug where an item selected on a page of the search results stays highlighted as selected on all other pages

    • Improved remapping to OCSF for Splunk

  • Fixed a bug in Automation where an error message about failing to delete content from GitHub inventory and the GitHub repo had a success header

  • Improved applying Filters to Splunk queries. Now, they are added at the end of the query to avoid overloading Splunk

  • Fixed a bug in Automation where certain content deploy Jobs did not start automatically for a short while

  • Fixed a bug with Custom Field Mapping for Splunk where the Source mapping wasn't applied correctly if a specific custom value was set

  • Resolved issues in Attack Detective:

    • Fixed a bug where Event IDs could be displayed as missing on the Blind Spots tab of Data Audit if they were missing in some tables and present in others

    • Made the input area for log source names on the Visibility tab larger to ensure that entering long names is user-friendly

  • Improved the Yaml format check in Warden that previously under some conditions could produce false positive results

  • Fixed a bug with search in CrowdStrike where the user was navigated to falcon.crowdstrike.com instead of the URL configured in their CrowdStrike Data Plane

  • Fixed an issue with API where an error was returned if the tags.sigma_type field contained a string instead of an array

  • Fixed a bug where after editing a query for Elastic, CrowdStrike or Microsoft Defender for Endpoint on a rule's page, the original version of the query was deployed

  • Fixed a bug in TDM's Overview where decimals were displayed instead of integers on the Rule Usage Compared to Industry dashboard

Did this answer your question?