Skip to main content

SOC Prime Platform Product Release Notes 5.9.8

S
Written by Sergey Bayrachny

January 10, 2024

© 2024 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

Single Sign-On

We've added support for single sign-on using Okta with SAML 2.0. The availability of SSO depends on your subscription plan. If the feature is available to your organization, contact your Customer Success manager to enable it. After that, a user with a Manager role can configure the single sign-on (SSO) login for their organization on the SSO Configuration page in Platform Settings.

Once the SSO is configured, the Manager can make SSO login optional or required for their team.

To find the step-by-step instructions on the configurations both on the SOC Prime Platform side and the Okta side, see this Help Center article.

Threat Detection Marketplace

Hiding in Search Results

We've added a feature to hide a given rule in the Search results for your entire team. To hide a rule, click the eye icon:

  • On a rule's tile in Search results

  • On a rule's page

Once the rule is hidden, the icon changes its state. Click it again to unhide the rule.

To see both hidden and non-hidden rules in the results, enable the Show hidden filter (If it isn't displayed in the filters panel, click More Expert Filters and set a checkmark next to this filter.)

Once the filter is enabled, you can also set the checkmark Only hidden to show only those rules that were hidden in Search results.

Note:

Hiding a rule from Search results does not affect any analytics. For example, if a hidden rule has been marked as deployed, it will be included as deployed in MITRE ATT&CK® Coverage and Log Source Coverage.

Marking a Rule as Deployed

We've added a possibility to mark a rule as deployed right on the rule's page:

  1. Click the Mark as Deployed icon.

  2. Select platforms into which the rule has been deployed. By default, the dropdown suggests your previous selection.

  3. Click Add.

If you click the icon for a rule that has been marked as deployed manually or automatically (after deployment via Automation), all platforms will be marked as undeployed (both platforms manually marked as deployed before and platforms into which the rule was deployed via Automation).

Search Profile Updates

We've added two new checkboxes to the Search Profile:

  • Show hidden in Search results. When the profile is applied in Search, the rules marked with “Hide in Search results“ by your team are unhidden in the search results. Note that this option does not affect your organization’s insights in Analytics.

  • Do not show deployed. When the profile is applied in Search, the rules your team has deployed automatically or marked as deployed manually are excluded from the search results. Note that this option does not affect your organization’s insights in Analytics.

Team Management

We've renamed the My Team page to Team Management and added a corresponding item to the menu under the Account icon for ease of navigation.

Option Sorting

On the rule's page, we've made the options of the following code customization features sorted alphabetically:

  • Custom Field Mapping

  • Config

  • Presets

  • Filters

Data Plane Sharing Setting

Now, only the owner of a shared Data Plane can change its sharing setting.

UI Improvements

  • We've refreshed the look of the History page and made its design consistent with other pages in Automation

  • We've added a tooltip for the content List type field that explains you cannot change the type once the list has been created

  • We've added the rule status to the metadata on the rule's page

Attack Detective

We've added support for Falcon LogScale, both cloud and on-prem. To create a Data Plane profile for your Falcon LogScale that can be used in Attack Detective, go to Platform Settings > Data Planes and click Add Data Plane.

Falcon LogScale Cloud

  1. Select Falcon LogScale as your platform.

  2. Ensure the On Prem switch is disabled.

  3. Ensure Attack Detective is selected as a place to use your Data Plane.

  4. Provide your credentials:

    • Falcon LogScale URL. The URL of your Falcon LogScale web console that you can copy from your browser. The link should not contain a repository or view name if the Data Plane is going to be used only for Attack Detective. Otherwise, if you will also use it for Automation and hunting, the URL should include a repository or view name.

    • API Token. A repository token generated in Facon LogScale that grants required API access to your repository. See this instruction on how to create a token.

    Note:

    You need to provide the Data read access permission when generating a repository token in Facon LogScale

  5. Optionally, specify Default Custom Field Mappings.

  6. Click Save Changes.

Falcon LogScale On-Prem

  1. Select Falcon LogScale as your platform.

  2. Ensure the On Prem switch is enabled.

  3. Provide your credentials:

    • Falcon LogScale URL. The URL of your Falcon LogScale web console that you can copy from your browser. The link should not contain a repository or view name.

    • Attack Detective API key. Generate an Attack Detective API key needed to configure the SOC Prime Attack Detective App for Falcon LogScale.

    Note:

    You need to provide the Data read access permission when generating a repository token in Facon LogScale

  4. Click Save Changes.

Note: To connect Attack Detective to your on-prem instance, you also need to install the SOC Prime Attack Detective App for Falcon LogScale. For details, see this help article

More Functionality under Paid Plans

Now, an OnDemand or Enterprise subscription on any of the SOC Prime Platform main products (TDM, Uncoder AI, Attack Detective) includes unlimited access to the following features across the Platform:

  • Data Planes

  • Custom Field Mapping

  • Presets

  • Filters

Note: Under OnDemand Attack Detective, you can set up any number of Data Planes on the SOC Prime Platform, but only 3 of them can be used in Investigations.

TDM API Integration Tool

We've added an optional overwrite_existing_rules parameter in the splunk_alert, splunk, xpack-watcher, and elasticsearch-rule outputs. If set to true, it overwrites the existing rules with new versions.

OpenCTI SOC Prime Connector

We've added parsing of the following rule details:

  • Tools: for the Malware tab

  • Actors (APTs): for Intrusion sets

  • CVE: for Vulnerabilities

MITRE ATT&CK® Version Updated

We've updated MITRE ATT&CK used in all SOC Prime Platform products to v14.0. To learn more about what has changed in this version, check out MITRE ATT&CK's release notes.

Key Bug Fixes & Improvements

With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:

  • Fixed a bug in Threat Bounty Bot where in some cases a Sigma rule was saved without a UUID if its UUID was removed during editing

  • Fixed a bug on the company website where a wrong link was opened after clicking Why SOC Prime in the footer

  • Resolved an issue that resulted in a wrong format of the query for Microsoft Defender for Endpoint generated in Uncoder AI based on parsed IOCs

  • Now, the Edit button is displayed right away after creating a Data Plane so you don't have to refresh the page to see it

  • Fixed a bug where in some cases the layout of TDM's Search was broken when displaying results of certain search requests

  • Resolved the issue that resulted in Qhick Hunt not working for Chronicle Security

  • Fixed a bug with Custom Field Mapping for Splunk where mappings were applied to Splunk Alert fields they were not intended for

  • Fixed dashboard layout issues in Safari that sometimes occurred after zooming in on TDM's Overview page

  • Fixed an issue with Calendly integration in the Help Center menu where the scheduler disappeared once the user clicked on it

  • Removed the inactive Add to My Repo button from bulk actions in Inventory since this functionality is not supported yet

  • Added a check for existing content in Jobs that deploy content from custom repositories. If a content item is already present in the SIEM, the Job skips it. Previously, the Job would try to deploy it and write a log that the content item already exists

  • Improved the Check Connection feature for Splunk when adding a Data Plane to an Investigation in Attack Detective

Did this answer your question?