August 9, 2023
© 2023 SOC Prime Inc.
All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
Threat Detection Marketplace
Update of Sumo Logic CSE Integration
To ensure that integrations with Data Planes of this type work fine, we've updated the URL and authentication method according to the new version of the API.
Content Quality Improvement
We've improved the quality of Sigma rule translations into the following formats:
Microsoft Sentinel and Microsoft Defender for Endpoint. We've improved the translation of filters that include multiple values combined by the and operator. Now, translation of this type of detection has the following syntax:
Sigma | Microsoft Sentinel/Microsoft Defender for Endpoint |
detection: selection: Image|endswith: - 'ABC.EXE' - 'DEF.exe' filters: Image|contains|all: - '\Program' - 'Files' - 'root' condition: selection and not filters
| where ((FolderPath endswith @'ABC.EXE' or FolderPath endswith @'DEF.exe') and not ((FolderPath contains @'\Program') and (FolderPath contains @'Files') and (FolderPath contains @'root'))) |
Elastic Stack formats. We've introduced the following enhancements:
Improved escaping of non-alphanumeric characters
Removed redundant quotes around values
Ensured that non-alphanumeric values are translated using regexes, e. g.
'\Cmd.exe'in Sigma is translated as/.*\\\\[Cc][Mm][Dd]\.[Ee][Xx][Ee]/
Dashboard
We've removed two outdated blocks from the Dashboards:
Threat Bounty Participation
Team Collaboration Actions
Uncoder AI
Support for New Output Languages
As part of our continuous effort to make Uncoder AI even more useful for detection engineers and threat hunters that work with different security technologies, we've added support for translating Sigma rules into 20 new languages:
CSharp Regex Query (LINQ)
Datalog Query
DNIF Query
ElastAlert Alert (DSL)
Elastic Stack Query (DSL)
Elastic Stack Query (EQL)
Elastic Stack Detection Rule (EQL)
Elastic Stack Kibana SavedSearch (NDJSON)
HawkSearch Query
Lacework Query
Logiq Rule
LogRhythm Query (Lucene)
NVISO EE-Outliers Query
RSA Netwitness Query (EPL)
Splunk Query (XML)
SQL Query
SQLite Query
STIX Pattern
StreamAlert Alert
UberAgent ESA Query
New Green Warden Check
We've added to Green Warden a new check. It ensures that the value of the Image field does not contain forward slashes if logsource.product is windows.
Improved Reverse Translations
We've improved reverse translations from Splunk Alert into Microsoft Sentinel Rule by ensuring that IDs of MITRE ATT&CK® tactics and techniques are correctly transferred into the output format.
Cyber Threat Search Engine
Tools Section
We've updated the Tools section in the top navigation menu by removing outdated items and adding the reference to The Prime Hunt browser extension.
SOC 2 Type 2 Compliance
We've updated the texts and design on the SOC 2 Type II Compliance page to provide more relevant information on the standard.
Retiring Uncoder.IO
Since users now can register for Uncoder AI with their private emails and benefit from the free tier that offers more capabilities than uncoder.io, we've decided to retire uncoder.io. The domain now serves as a page where visitors can learn more about the capabilities of Uncoder AI and follow a link to create an account.
Platform Guides
We've updated the Platform Guides according to the new functionality.
Key Bug Fixes & Improvements
With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:
Fixed bugs in MITRE ATT&CK Coverage:
A bug where after selecting a sub-technique and opening the Explored, Downloaded via API, Deployed, or Unexplored content in Search, the content was filtered by the parent technique rather than by the selected sub-technique
A bug where the count under Explored, Downloaded via API, Deployed, or Unexplored categories didn't match the actual number of content items available in Search
Resolved an issue in TDM's Search where in some cases the Author field could stay unfilled for a while after the rule was published
Fixed layout items alignment in recommendations displayed in TDM's Overview
Resolved an issue with API where an error was returned because of multiple IPs passed if a VPN was used to send the request
Fixed a bug in Custom Field Mapping profiles for Splunk where setting no value or * as the default value for source/index on the Index tab did not result in any source/index being replaced with the custom value
Fixed a bug in Uncoder AI where IOC-based queries failed to generate for Splunk Query, Sumo Logic, SentinelOne (Events Query), and VMware Carbon Black (EDR)