August 23, 2023
© 2023 SOC Prime Inc.
All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
Threat Detection Marketplace
Content Quality Improvements
We've improved the quality of Sigma rule translations into the following formats:
Humio. We've added escaping of backslashes (
\)Sumo Logic. We've introduced these improvements:
All field values are put into quotation marks
Backslash is escaped (
\→\\\\)Wildcards (
*) in field values are put outside the quotation marks, e.g."-none07"*
Filters and CFM for AWS Athena Query
We've added support for AWS Athena Query in Filters and Custom Field Mapping (CFM).
Filters. Now, you can apply Filters (extra conditions) on the content item's page for AWS Athena Query.
To create a new Filter, click the corresponding option in the Filter dropdown or go to Account icon > Platform Settings > Filters. You can learn more about Filters in this article.
Custom Field Mapping. Now you can create Custom Field Mapping profiles for AWS Athena to apply them in Attack Detective (by linking them to the corresponding Data Planes) and on a content item's page.
To create a new Custom Field Mapping, go to Account icon > Platform Settings > Custom Field Mapping. You can learn more about Custom Field Mapping in this article.
Uncoder AI
New Block with Plan Name and Balance
We've redesigned and expanded the reverse translation counter that previously could be found in the upper right corner of the screen.
Now, it is vertically aligned to the center and additionally includes the name of your subscription plan, the Upgrade button, and the plus icon to top up the reserve translation balance.
Updated Introduction
We've updated the introduction text shown as a placeholder in the input panel. The new version contains much more information about Uncoder AI capabilities and features.
Discuss on Discord Button
To encourage interaction between users, collaboration, and knowledge sharing, we've added a button to discuss the translation on Discord in a channel dedicated to the current platform.
To open the channel, hover over the button and click the link that appears.
Attack Detective
Open in Uncoder AI
In the query details, we've added a button Open in Uncoder AI that opens the query executed during the scan by Attack Detective. The query is opened in a new tab in Uncoder AI so you can view, edit, or copy the code as needed.
Action Loop Button Moved
We've moved the button to mark a query with a validation result as part of the global feedback on the underlying Sigma rule. Now, the button lives in the Attack Surface section of the query details. Each Data Plane in the Investigation where the query hit has its own Action Loop button to make the interface more user-friendly.
Improved Data Audit for Microsoft Sentinel
We've introduced the following improvements:
Log Sources that do not have parsers are not included in the results. For example, if Sysmon does not have a parser, it won't be included in the Events table
We've enhanced the process of selecting queries that fit the identified log sources
Improved Query Preparation for Splunk
Now we add an index name to the query before sending it to Splunk. This way, the queries are more accurate and execute faster. In Addition, if the same query is executed against two different indexes, the results are presented separately.
Scan Details UX Improvement
We've reordered the Data Plane and Investigation name dropdowns (Investigation name goes first) on the Scan Details page to keep the user experience consistent across Attack Detective pages.
UI Text Improvement
We've updated the UI text in the Investigation setup screen to better explain how to apply Custom Field Mapping profiles during an Investigation.
Key Bug Fixes & Improvements
With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:
Fixed issues with CCM API Integration Tool:
An issue where content from Inventory Lists failed to deploy to Elasticsearch
An issue where the checking of connection to Elasticsearch failed
Fixed a bug where the Contact Us form did not close after the user sent the request on the About Us page
Fixed the bug where switching between pages with > and < buttons in pagination sometimes did not work as expected in Automation and Platform Settings
Fixed an issue with MITRE ATT&CK® tags where certain content items were mapped to the Mobile framework instead of Enterprise (tag TA0034 instead of tag TA0040)
Fixed the styles on TDM's Overview page where the figures in the Content Usage dashboard in some cases were almost the same color as the background
Updated the tooltip displayed on a content item's page when a translation has not been generated because the Sigma rule may be noisy and require fine-tuning. Now, the tooltip offers the user to translate the rule in Uncoder AI
Fixed a bug in the Cyber Threat Search Engine where in some cases the top navigation menu opened when the user moved the mouse pointer over the search results
Fixed button layout in the modal prompting the user with a deprecated Limited Access plan to change their email and get a Community plan
Resolved an issue with posting messages to the Emerging Threats channel in Discord
Fixed a layout bug in Attack Detective where the Run Analysis button was overlapped by the footer on the Data Audit page
Resolved the issue with Attack Detective's Hunt functionality for Sumo Logic in Firefox where an error was displayed in the opened Sumo Logic search page