Skip to main content

SOC Prime Platform Product Release Notes 5.9.5

S
Written by Sergey Bayrachny

November 15, 2023

© 2023 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

Public Beta of Uncoder IO

We're happy to release our revamped Uncoder IO into the public beta. It's available on GitHub as a Docker container or online.

Uncoder IO is an open-source version of Uncoder AI. Since 2018, Uncoder IO has been a fast, private, and easy-to-use online translator for Sigma Rules, maintaining 100% privacy of its users. An open-source Uncoder IO expands use cases into the following:

  • Translation from Sigma Rules, a generic rule format for SIEM systems, to specific SIEM, EDR, and Data Lake languages

  • IOC packaging from any non-binary format such as PDF, text, STIX, or OpenIOC to specific SIEM, EDR, and Data Lake languages

  • Translation from RootA Rules, the newly released language for collective cyber defense, to specific SIEM, EDR, and Data Lake languages.

Uncoder is developed by a team of Detection Engineers, Threat Hunters, and CTI Analysts from Ukraine, Europe, the USA, Argentina, and Australia to perform their daily job and nightly cyber defense hobbies faster, better and making their outcomes easier to share for collective good.

Uncoder IO can be run on-prem without a need for an internet connection, thus supporting air-gapped network operation. We do however suggest checking for updates and deploying them regularly. Meanwhile, a SaaS version still ensures 100% privacy with no cookie tracking, no data or code logging, or sharing with third parties. You are always in control of your code and data.

RootA and Sigma Rules can be translated into the following formats:

  • AWS OpenSearch Query - opensearch-lucene-query

  • AWS Athena Query (Security Lake) - athena-sql-query

  • Falcon LogScale Query - logscale-lql-query

  • Falcon LogScale Rule - logscale-lql-rule

  • Splunk Query - splunk-spl-query

  • Splunk Alert - splunk-spl-rule

  • Microsoft Sentinel Query - sentinel-kql-query

  • Microsoft Sentinel Rule - sentinel-kql-rule

  • Microsoft Defender for Endpoint Query - mde-kql-query

  • IBM QRadar Query - qradar-aql-query

  • CrowdStrike Query - crowdstrike-spl-query

  • Elasticsearch Query - elastic-lucene-query

  • Elasticsearch Rule - elastic-lucene-rule

  • Sigma Rule - sigma-yml-rule

  • Chronicle Security Query - chronicle-yaral-query

  • Chronicle Security Rule - chronicle-yaral-rule

IOC-based queries can be generated in the following formats:

  • Microsoft Sentinel Query - sentinel-kql-query

  • Microsoft Defender for Endpoint Query - mde-kql-query

  • Splunk Query - splunk-spl-query

  • CrowdStrike Query - crowdstrike-spl-query

  • Elasticsearch Query - elastic-lucene-query

  • AWS OpenSearch Query - opensearch-lucene-query

  • Falcon LogScale Query - logscale-lql-query

  • IBM QRadar Query - qradar-aql-query

  • AWS Athena Query (Security Lake) - athena-sql-query

  • Chronicle Security Query - chronicle-yaral-query

The following types of IOCs are supported:

  • Hash

  • Domain

  • URL

  • IP

To learn more, see Uncoder IO's readme on GitHub.

RootA Initial Release

We've released RootA, a public-domain language for collective cyber defense, created to make threat detection, incident response, and actor attribution simple. It acts as an open-source wrapper on top of most of the existing SIEM, EDR, XDR, and Data Lake query languages. If you learn the basics of RootA, you will be able to contribute to collective defense. And if you have mastered a specific SIEM language, with RootA and Uncoder IO you can speak them all.

The objective of RootA is to accelerate the global cyber industry collaboration. With RootA acting as a wrapper, cyber defenders can take a native rule or query and augment it with metadata to automatically translate the code into other SIEM, EDR, XDR, and Data Lake languages. Inspired by the success of Yara and Sigma rules, RootA is focused on a broader applicability by a larger community of defenders.

  • RootA is expressed using YAML, a wide-spread, easy-to-write, and human-readable format.

  • Use any query language for detection, Uncoder.IO will take care of the translation.

  • Correlation support. Common correlations are supported by RootA in order to make detection logic harder to bypass by the attackers, more compute efficient, and future proof.

  • Log sources can be explicitly or implicitly defined in the native query itself or in the customizable logsource field.

  • RootA syntax fully accommodates OCSF and Sigma as taxonomy, making it fast to learn, easy to read and share, and providing maximum compatibility for Detection Engineers.

  • Threat Actor Timeline. While Actors change, behaviors often stay the same. RootA supports an additional threat intelligence layer for CERTs, NCSCs, ISACs, MDRs, and Defence Agencies, to coordinate defence faster and with greater precision.

  • Mapping to TTPs. Link detection logic to related tactics, techniques, and procedures in terms of MITRE ATT&CK®. Use custom tags to make the mapping even more tailored and detailed.

  • Response as Code. With enough community members and industry adoption, the next step after detection is sharing the code to automate response.

You can start writing RootA rules in any code editor that supports YAML. To translate RootA rules to other languages use Uncoder IO by building it from the source https://github.com/UncoderIO/UncoderIO or hosted online privately by SOC Prime since 2018 at https://uncoder.io

Learn more about RootA on its website, get a better understanding from its Readme on GitHub, or dive right into the language specification.

Threat Detection Marketplace

We've substantially increased the speed of content synchronization from the SIEM to the selected custom repositories in Inventory.

Uncoder AI

To expand the capabilities offered by the Community, Solo, and OnDemand subscription plans, we've updated the following limitations:

  • Community

    • IOC-based query generations per user per day: 10 → unlimited

    • Parsed IOCs for query generation: 20 → 10,000

  • Solo

    • Parsed IOCs for query generation: 500 → 10,000

  • OnDemand

    • Parsed IOCs for query generation: 1,000 → 10,000

The Prime Hunt Updated

New Integrations

We've added new integrations to make the range of available capabilities even wider:

  • AbuseIPDB

  • URLhaus (by Abuse.ch)

  • MalwareBazaar MD5 (by Abuse.ch)

  • MalwareBazaar SHA256 (by Abuse.ch)

  • ThreatFox IOCs (by Abuse.ch)

  • FeodoTracker C&C (by Abuse.ch)

  • Shodan

Window Resizing Improved

Now it's possible to simultaneously resize the extension window both vertically and horizontally.

Key Bug Fixes & Improvements

With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:

  • Fixed a bug on the My Subscription page where the organization's Uncoder AI subscription plan name was displayed instead of the personal one

  • Fixed a bug where in rare cases the Uncoder AI Community subscription was not enabled by default during the registration of a free account

Did this answer your question?