Skip to main content

SOC Prime Platform Product Release Notes 5.9.2

S
Written by Sergey Bayrachny

October 9, 2023

© 2023 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

Integrations

We've released Integrations, a new functionality to connect various ticketing, knowledge management, and communication systems in order to use respective automation features across the SOC Prime Platform.

The first system we support is Confluence. Use it to automatically document use cases based on a rule's intelligence and metadata in Uncoder AI. Other systems will be added later.

Setting up a Confluence Integration

To set up an integration with your Confluence instance, follow these steps:

  1. Go to Account > Platform Settings > Integrations and click Add Integration in the upper right corner.

  2. In the modal that appears, name your integration, select Confluence as the integration type, and choose if you want to share the integration with other users from your team.

  3. Set the configuration:

    • URL of your Confluence domain. Paste the domain of your Confluence, for example https://companyname.atlassian.net

    • Username. Enter the email of the user with proper permissions in your Confluence (can view or edit parent pages under which documentation is going to be created).

    • API token. Enter the token generated according to this instruction by the Username you specify in this integration.

    • Space name. Enter the key of the space where the use case documentation is going to be created. You can find it in the URL of that space after spaces/

    • Parent Pages. Specify the titles of the pages under which you want to create child pages with use case documentation (note that a title should not include special characters). You'll be able to select a parent page defined here when creating a document via Uncoder AI.

  4. Click Save Changes.

  5. On the Integrations page, click the Check Connection icon for your newly created integration.

    • If the status is Connected, your integration is ready for use

    • If the status is Disconnected, refer to the error message shown after clicking Check Connection or the tooltip displayed on hovering the status to find out and resolve the issues.

Creating Use Case Documentation in Confluence

Once you've set up a Confluence integration, you can use it to automatically document use cases based on a rule's intelligence and metadata in Uncoder AI.

  1. Open in Uncoder AI a Sigma rule published on TDM.

  2. In the rule's Intelligence, scroll down to the USE CASE DOCUMENTATION section and click the plus icon.

  3. In the expanded block, click Document.

  4. In the modal that appears, select your integration and a parent page under which you want to create the child page with use case documentation.

  5. Click Create Page.

  6. A structured page has been created at the specified location. To view the page, go to your Confluence.

Threat Detection Marketplace

Content Quality Improvements

We've improved the quality of translations into the following formats:

Microsoft Sentinel and Microsoft Defender for Endpoint

  • We've improved consistency by using single quotes for numeric strings.

Splunk

  • We've improved aggregate functions in searches by removing an excessive by clause in the datamodel alternative translations.

  • We've added support for the re modifier to translate such rules.

CrowdStrike

  • We've ensured that Sigma rules are translated into this format only if all their fields are supported in CrowdStrike

Elastic Stack

  • If a .text-based field has non-alphanumeric characters, it is turned into a .keyword-based field and regexes are applied

Chronicle Security

  • We've added the nocase statement at the end of all expressions except for those where values are numbers. This is intended to ignore capitalization.

Sumo Logic

  • We've implemented multiple improvements in the translations into this platform language, in particular ensuring that correct escaping and source names are used.

Content from Custom Repos in Automation

We've added repository selection to Content Lists to enable creating Lists based on specific repositories and deploying custom repository content via Automation.

List Configuration

Now, when configuring a Static or Dynamic List, the user specifies:

  • Repository type

    • Platform Repos: repositories with content published on the SOC Prime Platform. This option is selected by default.

    • My Repos: custom repositories created by the user or their team.

  • Specific repositories within the selected type. If nothing is set here, all repositories of the selected type are used.

Notes:

  • You cannot change repository choice when editing a Static List.

  • Repository setting has been applied to all existing Static and Dynamic Lists retrospectively. They have been configured to include content from all Platform Repos.

This new setting empowers you to do the following:

  • Add content from custom repositories to Static or Dynamic Lists and deploy it via Automation

  • Use this setting as an additional filter in Dynamic Lists to only include content from specified repositories

Bulk Adding to List

We've added the Add to List bulk action on the Search page. It empowers you to add multiple rules to one or multiple Static Lists.

Set the checkboxes next to the rules you want to add and click Add to List above the search results.

In the modal that appears, set the checkmark next to the Lists you want to add the content to and click Done. Note that the modal only includes Lists set to work with the repositories that the selected content lives in. The first repository name is displayed in the List details. To show all the others (if any), hover over the three dots.

If you create a new List from this modal, an express List creation modal that appears now includes the Repositories field. It's pre-filled with the repositories that the selected content lives in. You can add more repositories of the same type using the dropdown.

New Alternative Translation for Elastic

We've added a new alternative translation ECS Case-Sensitive to all Elastic Stack content types. This is a default translation without transforming values to the case-insensitive format.

Self-Serve Purchase of OnDemand Disabled

We've disabled the self-serve option to purchase an OnDemand plan for Threat Detection Marketplace or Attack Detective to ensure that each client that upgrades is timely onboarded to the product by our Customer Success team.

Uncoder AI

Premium Plan Affordable to Everyone

Cyber threats get more elaborate and widespread every day while the shortage of experts stays significant. Accordingly, we've radically reduced the price of the personal Premium Uncoder AI plan to make it affordable for every detection engineer and threat hunter in the world.

Now, the plan is just 11.99 per month. Grab it if you haven't done so yet.

Reverse Translations from CrowdStrike

We've added support for reverse translations from CrowdStrike Queries into Sigma and dozens of platform-specific formats.

Attack Detective

Hunting Scenarios

We've added Hunting Scenarios, a feature that enables you to form a pool of queries for the scan based on the threats you want to hunt for.

A Hunting Scenario is selected after the Data Audit is finished.

You can choose between the following options:

  • Full scan. All available queries relevant to the selected log sources and available data (analyzed based on discovered events during Data Audit).

  • CERT Alerts. Queries recommended by SOC Prime and developed based on cyber incident reports by the government Computer Emergency Response Teams of the US, the EU, Ukraine, and other countries

  • Latest Exploits. Queries recommended by SOC Prime to detect known Common Vulnerabilities and Exposures (CVEs). This scenario includes both the most recent and notorious CVEs

Click the down arrow next to a scenario to expand the updated Data Audit details with the applied scenario.

  • Spider Chart shows Detection Coverage, the percentage of techniques within each Tactic covered by queries that can be applied to your log sources in their current state

  • The table shows data tables and respective log sources defined during Data Audit as well as the number of queries available for each data table and the number of tactics and techniques they cover

Additionally, you can create your own Hunting Scenario based on a Content List:

  1. Click Add Custom Hunting Scenario.

  2. Set a meaningful name and add an optional description.

  3. Select one or multiple Content Lists to define what queries will be used for scanning and click Add. Use the list type dropdown to limit the lists available for selection to one type:

    • My

    • Company

    • Global

    By default, the All option is selected. You can add a new List here.

  4. The selected List(s) will be added to the Content List table. The total number of queries in the List is displayed in a separate column. You can view the number of queries matching the log sources defined during Data Audit after clicking Show (Refresh) Spider Chart.

  5. Click Show Spider Chart to see the updated Data Audit details with the applied scenario.

    • Spider Chart shows Detection Coverage, the percentage of techniques within each Tactic covered by queries that can be applied to your log sources in their current state

    • The table shows data tables and respective log sources defined during Data Audit as well as the number of queries available for each data table and the number of tactics and techniques they cover

  6. Click Apply to save your scenario. It will be displayed in the Hunting Scenarios list.

  7. If you want to edit an existing custom scenario you've created, click the pencil icon.

    To delete a custom scenario, click Delete Scenario on the Edit Scenario screen. Note that deleting on the backend can take up to 30 seconds.

  8. Proceed to running the scan.

Modal for Too Long Queries

Some queries for Microsoft Defender for Endpoint and on-prem IBM QRadar can be too long to pass them in the URL and open automatically when the user clicks Hunt. In such cases, a modal is displayed where the user can copy the query to clipboard and follow the link to their platform to paste the query manually. If there are multiple Data Planes, info for each of them is presented on a separate tab.

Check Connection when Adding Data Planes

We've added the Check Connection feature on the Set up Investigation screen. Now, when you select Data Planes for an Investigation you can instantly see if the connection to them is operational.

Company Website

Prompt to Try Uncoder AI

We've added a modal that explains the potential dangers of not customizing detection code and offers to try Uncoder AI.

Solution Brief

We've added the solution brief SOC Prime’s Expertise-as-a-Service for Amazon Security Lake to the AWS Center of Excellence page. You can get it by clicking the Learn More button under the section On-Demand Amazon Security Lake Expertise.

Threat Bounty Program Application Form

We've updated the title and some field labels on the Threat Bounty Developer Program application form.

Page Improvements

Uncoder AI Landing Page. We've updated and improved the text.

Leadership Page. We've improved the adaptive layout and performance.

TDM API Integration Tool Updated

We've introduced the following updates:

  • Renamed the tool and related Content Pack to "TDM API Integration Tool"

  • Renamed Continuous Content Management (CCM) to Automation in the text of the tool's guide

  • Compatible version of Python now is 3.8 or higher

  • Updated the versions of Python libraries

  • Added the job_name parameter to the job input

Key Bug Fixes & Improvements

With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:

  • Fixed a bug where email notifications about the latest threat detection content were not sent to certain users

  • Resolved an issue that resulted in excessive characters displayed at the end of options of the CVE filter on TDM's Search

  • Fixed switching between industries on the customer success stories page of the company website in the Safari browser

  • Optimized and sped up the process of deleting an Investigation in Attack Detective to prevent cases where an error message was displayed and the Investigation stayed in the list until the page was refreshed

  • Fixed issues on the Cyber Threat Search Engine:

  • An issue where an error message was displayed when a user tried to open a rule with an empty Severity field

  • An issue where the code of certain Corelight rules was not available on the Search Engine

  • An issue where sometimes it was impossible to view the code of certain rules sourced from GitHub

  • Fixed bugs with Threat Bounty Bot:

    • When the user sent a Sigma rule via the Bot, duplicates of alternative translations were created

    • The Search button did not work in some cases

    • Comments and quotes in some cases were not saved in the submitted Sigma rule

Did this answer your question?