November 1, 2023
© 2023 SOC Prime Inc.
All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
Tenants
We've released Tenants, a new feature to help in grouping Data Planes. A Tenant is a set of Data Planes manually picked by any attribute. For example, MDRs/MSSPs may find it useful to group their Data Planes by the end client.
You can manage Tenants in Platform Settings and use them in Inventory, Jobs, and Attack Detective.
Tenants Management Page
The Tenants page is located in Platform Settings.
To add a Tenant:
Click the Add Tenant button.
Give your Tenant a meaningful name.
Provide an optional description.
Add Data Planes that will belong to this Tenant. Note that only Data Planes shared to company can be added. The dropdown shows only those Data Planes that can be added (shared and not added to another Tenant).
To edit or delete a Tenant, click the corresponding icon on the right.
The Tenants feature is not enabled by default and will be included only in certain subscription plans. If this feature is not available to your organization, any Tenant selection dropdowns throughout the SOC Prime Platform will be inactive or not displayed at all.
Where to Use
TDM: Inventory. Select a Tenant before choosing a specific Data Plane.
Any Data Planes that haven't been added to a Tenant, will be displayed as belonging to the default None tenant.
If the Tenants feature is not available to your organization, the Tenants dropdown is inactive and the Data Planes dropdown includes all your Data Planes.
TDM: Jobs. Select a Tenant before choosing a specific Data Plane.
Any Data Planes that haven't been added to a Tenant, will be displayed as belonging to the default None tenant.
If the Tenants feature is not available to your organization, the Tenants dropdown is inactive and the Data Planes dropdown includes all your Data Planes.
Attack Detective: Investigation Setup. Select a Tenant before choosing a specific Data Plane.
Any Data Planes that haven't been added to a Tenant, will be displayed as belonging to the default None tenant.
If the Tenants feature is not available to your organization, the Tenants dropdown is not displayed and the Data Planes dropdown includes all your Data Planes.
Attack Detective: Data Audit and Choose Hunting Scenarios. You can see the tenant name appended to the Data Plane name in the Data Plane selection dropdown.
Attack Detective: Overview and Scan Details. Select a Tenant before choosing a specific Data Plane.
Any Data Planes that haven't been added to a Tenant, will be displayed as belonging to the default None tenant.
If the Tenants feature is not available to your organization, the Tenants dropdown is not displayed and the Data Planes dropdown includes all your Data Planes.
Threat Detection Marketplace
Two New Elastic Stack Content Types
We've added two types of content for Elastic Stack:
Elastic Query (EQL)
Elastic Detection Rule (EQL)
To avoid ambiguity after this update, we've renamed two of the existing Elastic Stack content types:
Elastic Query → Elastic Query (Lucene)
Elastic Detection Rule → Elastic Detection Rule (Lucene)
You can create and apply Filters for Elastic Query (EQL) and both Filters and Presets for Elastic Detection Rule (EQL).
When creating a Filter, select Elastic (Detection Rule (EQL)) in the Platform dropdown to later apply this Filter either to Elastic Queries (EQL) or to Elastic Detection Rules (EQL).
When creating a Preset, select Elastic > Detection Rule (EQL) to later apply this Preset to Elastic Detection Rules (EQL). Don't forget that you can always link a Filter to this Preset.
Syncing SIEM Content to Custom Repositories
We've added a feature to sync the SIEM content to selected custom repositories. This allows you to automatically copy all the rules/alerts deployed into a SIEM to your custom repositories on the SOC Prime Platform to further facilitate content management.
You can enable this feature in Automation > Inventory.
Select the Data Plane (the integration with your SIEM) you want to synchronize with and ensure the Off/On Inventory switch is turned on. Inventory synchronization is a prerequisite for custom repository synchronization.
Click the down arrow next to the Sync to Repos switch and select custom repositories you want to synchronize to.
Click Save in the repository selection window to turn on the repository synchronization. Once you've defined the repositories, you can turn synchronization on and off by clicking the Sync to Repos switch.
When the Sync to Repos is turned on, synchronization takes place once an hour following this logic:
All content from the SIEM is copied to the selected custom repositories
If a rule is added in the SIEM, it is added to the selected custom repositories
If a rule is updated in the SIEM, it is updated in the selected custom repositories
If a rule is deleted from the SIEM, it is NOT removed from the selected custom repositories
You can manually add, modify, or delete content in the selected custom repositories. These changes will not be synchronized back to the SIEM:
Rules, manually added to a selected custom repository will NOT be deployed to the SIEM
Rules, manually deleted in a selected custom repository will NOT be deleted in the SIEM (but will be re-added to the repository after synchronization)
Rules, manually modified in a selected custom repository will NOT be modified in the SIEM (but will be overwritten with the respective rules from the SIEM after the synchronization)
Content is synchronized based on its name:
If multiple content items have the same name (e. g. you have the same detection logic deployed into Microsoft Sentinel and Chronicle Security under the same name and sync both SIEMs to one custom repository), they'll be stored in a selected custom repository as different translations of the same rule.
When you reach the limit on the amount of content for a repo, content from your Inventory stops syncing with it. Thus, the content that exceeds the limit is not copied to the custom repository. Note that the oldest content is copied first.
If the rule deployed in your SIEM is from TDM, the corresponding Sigma rule is also written to a selected custom repository.
Clear Button in Inventory Updated
We've updated the design and behavior of the Clear Deleted Items button on Inventory:
Hover over the button to see the number of content items deleted from your SIEM
Click the button to start the flow of clearing from Inventory the content deleted from your organization's SIEM
Jobs Page Redesigned
We've redesigned the Jobs page to improve its layout and make the UX more consistent with other Automation pages.
The page now includes two tabs:
My with Jobs configured by the current user
Company with jobs configured by the other users from the organization
The three dots menu on the left has been replaced with action icons:
Run now
Debug logs
Edit
Delete
The Tenants column has been added. It indicates, what Tenant holds the Data Planes linked to the Job. If Data Planes do not belong to a Tenant, a dash is displayed.
The search field has been added. Use it to search the Jobs by name.
Custom Repository Names
We've made the custom repository names unique at the organization level. Thus, now it's impossible to create two repositories with identical names within the same organization even if they are not shared.
Config Dropdown
We've made the Config dropdown on the Code tab wider to ensure all alternative translation config names fit the width.
Company Website
We've updated the Partners page:
Added OpenSearch, Security Lake, and Athena to the SIEM AND SECURITY ANALYTICS section
Added a block about partnering with AWS
Corrected a typo
Key Bug Fixes & Improvements
With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:
Resolved an issue on the Data Planes page, so that the Connected/Disconnected status is now only shown for the platforms for which the Check Connection functionality is supported. Previously, for some platforms where Check Connection was not supported the Disconnected status was displayed. Now, if the connection check is impossible, N/A is displayed in the Status column
Fixed bugs with capitalization in the Create Custom Field Mapping modal where in some cases during input wrong capitalization was automatically applied, for example
CommandLineinstead ofcommandLineFixed an issue on the Create Integration page where Parent Page names were not displayed in full during input
Updated the highlighting color for text selection on the SOC Prime’s Center of Excellence for Amazon Web Services page
Fixed a bug in Uncoder AI where in some cases it was impossible to save a Splunk Alert to a custom repository
Fixed a bug where in some cases a Sumo Logic Data Plane could not be saved
Updated the OpenSearch Host field placeholder in the AWS OpenSearch Data Plane profile by removing the port number
Fixed a bug where a Custom Field Mapping Profile created a long time ago could be available for selection only for certain content types of the corresponding platform, for example a profile created for Elastic Stack could be present in the CFM selection dropdown for Query and missing from the dropdown for Detection Rule