Skip to main content

SOC Prime Platform Product Release Notes 5.9.0

S
Written by Sergey Bayrachny

September 11, 2023

© 2023 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

Custom Repositories

We've released Custom Repositories, a new major feature to aid security practitioners in the use case management lifecycle. You can save and manage supported types of rules and queries directly on the SOC Prime Platform.

A custom repository is a dedicated storage within a separate database integrated into SOC Prime Platform's cloud infrastructure (with an encrypted rule body at rest) for a company's detection content. In essence, Custom Repositories provide SOC Prime Platform users with a secure environment to safeguard and organize Content, either uploaded by users or modified from the SOC Prime Platform.

Content items stored in a custom repository can be grouped the same way as on Threat Detection Marketplace (TDM), with multiple translations of the same rule linked together.

Note that by default the Custom Repository feature is not enabled. It can be enabled for Enterprise clients as an add-on.

Create and Manage a Custom Repository

To create or manage custom repositories, go to Account icon > Platform Settings > My Repositories.

Click Add Repository to create a new custom repository. The Create New Repository modal appears:

  1. Give your repository a meaningful name.

  2. Select if you want to share the repository with other users from your company

    • Not shared repositories are visible and available only to you

    • Shared repositories are visible to your team and any team member can add/delete content or manage repository settings (except for the sharing setting)

  3. Select the Data Planes you'd like to associate with this repository.

  4. Select the platforms you'd like to associate with this repository. You'll still be able to add content for platforms not selected in this field.

  5. Click Apply.

To edit or delete a custom repository, click the respective elements on the right.

View Content in a Custom Repository

You can view the content stored in a custom repository via TDM's Search.

First, use the switch under the search bar to toggle between Platform repositories and Custom repositories. By default, the Platform Repos option is selected.

Platform Repos represent the content published on Threat Detection Marketplace. For your convenience, we've divided this content into repositories as well:

  • Threat Bounty: content authored by developers from the Threat Bounty Program

  • SOC Prime: content authored by the in-house SOC Prime team

  • SigmaHQ: content sourced from the open-source SigmaHQ project on GitHub

  • Microsoft Sentinel: content for Microsoft Sentinel sourced from the Azure-Sentinel project on GitHub

By default, content from all repositories is shown. If you want to see and search content only from specific repositories, choose them in the selector and click Apply.

To see and search content from custom repositories, toggle the switch into the My Repos state.

By default, content from all custom repositories available to you is shown (both created by you and shared with you by your teammates). If you want to see and search content only from specific repositories, choose them in the selector and click Apply.

You can search for and filter content in custom repositories the same way as the content published on TDM. However, note that some filters such as Content Availability and Content Action State are not applicable to custom content. Additionally, filtering will work only as long as corresponding metadata is present in the custom content.

Add and Manage Content

You can add content to a custom repository in one of two ways:

  1. Fork an existing content item from TDM.

  2. Add content via Uncoder AI.

To edit a content item stored in a custom repository, open it in Uncoder AI.

Forking Content from TDM

You can copy any Sigma rule or its translation available to you on TDM to your custom repository. This action is referred to as forking.

  1. Go to TDM's Search and select content items by setting checkmarks next to them.

  2. Click Fork to My Repo.

  3. Set forking parameters and click Apply:

    • Select the repositories you want to copy the content to.

    • Define the platforms for which you need translations. Only translations for the selected platforms will be copied.

When you fork a content item, its metadata is also copied. When you fork a translation of a Sigma rule, the original Sigma rule is copied together with the translation.

Adding and Editing Content via Uncoder AI

You can add content to your custom repositories in Uncoder AI:

  • Save content created from scratch

  • Add a new translation to an existing rule

  • Update an existing translation

  • Open an existing translation and save it as a new rule

Save content created from scratch

  1. Go to Uncoder AI and write/paste a rule/query in any of the supported languages.

  2. Click Save As > New Rule in the panel with the content.

  3. Fill in saving parameters.

    • Save to. Select the custom repository to save your content.

    • Platform. Double-check the selected platform to make sure everything is correct.

    • Content Name. Give your content a name. In the case of a Sigma rule, this field is pre-filled with the Sigma title.

    • Description. Provide a description of your content.

  4. Click Save.

Note: In case of a Sigma rule, all available metadata is parsed and will be displayed on the Intelligence page of the rule in TDM. Yet, if you only save a query or rule in a different language, most metadata and intelligence fields will be empty.

Add a new translation to an existing translation group

  1. Open a Sigma rule or a content item in another format from its page on TDM using the Open in Uncoder AI button.

  2. In Uncoder AI, generate/write a translation of the opened content and select Save As > Update to my Rule in the panel with the translation you want to add.

  3. If the panel with the translation was on the right, it will move to the left and the saving settings will appear. Note that you cannot change the custom repository for saving. Ensure the platform and content name are correct, add an optional description, and click Save.

  4. If you now want to update the current translation and save the updated version, select Save As > Update to my Rule and ensure that the current platform name is selected in the Platform field of the saving settings.

Update an existing translation

  1. Open a translation from its page on TDM using the Open in Uncoder AI button. Note that you can update only translations stored in your custom repositories, not those that are published on TDM.

  2. In Uncoder AI, update the translation code as needed and select Save As > Update to my Rule. Ensure that the current platform name is selected in the Platform field of the saving settings.

Open an existing translation and save it as a new rule

  1. Open a translation from its page on TDM using the Open in Uncoder AI button. Note that you can update only translations stored in your custom repositories, not those that are published on TDM.

  2. In Uncoder AI, update the translation code as needed and select Save As > New Rule. Ensure that the settings are correct (in particular, use a unique name if you save the rule to the same repository) and click Save. When you save a translation of a Sigma rule from a Platform repo, the original Sigma rule is copied together with the translation.

Deleting Content

You can delete any content item from custom repositories created by you and shared with you by your teammates.

  1. Go to TDM's Search > My Repos and select content items by setting checkmarks next to them.

  2. Click Delete.

Note: If you delete a custom repository from the My Repositories page, it will be permanently deleted together with all the content it holds.

Terms Of Service Update

We've updated the SOC PRIME PLATFORM TERMS OF SERVICE to include sections covering custom repositories.

Threat Detection Marketplace

Improved Page Loading Speed

As part of our continuous effort to make the user experience better, we've improved the loading speed of a rule's page, in particular its Code tab. It has been made possible by optimizing the order in which the components were loaded.

All Filters Made Available to Community

To enhance the capabilities under TDM's Community subscription plan, we've made all filters on the Search page available.

Now, every security practitioner who uses Community can apply any filter to make searching for rules faster and more convenient.

Attack Detective

We've released connector apps for on-prem IBM QRadar and Elastic that enable scanning an on-prem environment in Attack Detective.

The apps are published as Content Packs on Threat Detection Marketplace. They are installed using Docker, which eliminates potential issues with host compatibility. All configurations are defined as variables in a .env file.

Accordingly, we've added support for on-prem IBM QRadar and Elastic Stack Data Planes.

IBM QRadar

Granting Permissions

To allow the Attack Detective connector app to access your IBM QRadar, set up an Authorized Service in IBM QRadar.

  1. Go to Admin> Authorized Services and create a new authorized service.

    • Security Profile. Attack Detective searches will run with any permission, but will only return data from the Networks/Log Sources/Domains assigned to the selected Security Profile. If you need to create a new profile, go to Admin > User Management > Security Profiles, create a profile, and deploy changes.

    • User Role. Select a user role with at least these permissions: "Log Activity" for event searches and "Network Activity" for flow searches. If you need to create a new role, go to Admin > User Management > User Roles, create a role, and deploy changes.

  2. An authorized service token is created. Copy it to a secure location for storage since you won't be able to access it after closing the dialog. You'll need to specify this token in the .env file when installing the connector app.

Data Plane Configuration

To use Attack Detective with on-prem IBM QRadar, the user has to set up a Data Plane on the SOC Prime Platform in addition to installing the connector app.

  1. Log in to your SOC Prime Platform account and go to Account icon > Platform Settings > Data Planes.

  2. Click the Add Data Plane button.

  3. Give your Data Plane profile a meaningful name.

  4. Select IBM QRadar as your platform. Note that the On Prem switch is turned on automatically.

  5. Select if you want to share the profile across your team.

  6. Set the URL of your IBM QRadar web console.

  7. Generate an Attack Detective API key by clicking the icon with arrows. You'll need to specify it in the .env file when installing the connector app. Please save the API key in a safe and accessible place. For security reasons, you won't be able to view it again. If you lose this secret key, you'll need to generate a new one.

  8. Optionally, link a Custom Field Mapping profile.

  9. Click Save Changes.

Elastic Stack

Granting Permissions

To allow the Attack Detective connector app to access your Elasticsearch, set up a Role and assign it to a User in Elasticsearch.

  1. Go to Stack Management > Roles.

  2. Create a role with a meaningful name and the following privileges:

    • Cluster privileges: monitor

    • Index privileges (select * in the Indices dropdown): read, view_index_metadata, monitor, manage

  3. Create a new user and assign it the role created in step 2. You'll need to specify the username and password of the created user in the .env file of the connector app.

Data Plane Configuration

To use Attack Detective with on-prem Elasticseach, the user has to set up a Data Plane on the SOC Prime Platform in addition to installing the connector app.

  1. Log in to your SOC Prime Platform account and go to Account icon > Platform Settings > Data Planes.

  2. Click the Add Data Plane button.

  3. Give your Data Plane profile a meaningful name.

  4. Select Elastic Stack as your platform.

  5. Enable the On Prem switch.

  6. Select if you want to share the profile across your team.

  7. Set the URL of your Kibana with the port.

  8. Generate an Attack Detective API key by clicking the icon with arrows. You'll need to specify it in the .env file when installing the connector app. Please save the API key in a safe and accessible place. For security reasons, you won't be able to view it again. If you lose this secret key, you'll need to generate a new one.

  9. Optionally, link a Custom Field Mapping profile. Custom Field Mapping profiles will be applied automatically to queries with matching log sources. Note that Share to Company and Make Default settings have to be enabled in the linked profiles.

  10. Click Save Changes.

Did this answer your question?