Skip to main content

SOC Prime Platform Product Release Notes 5.10.0

S
Written by Sergey Bayrachny

February 7, 2024

© 2024 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

Threat Detection Marketplace

Raptor Alternative Translations

We've added the Raptor alternative translations to the CrowdStrike Endpoint Security format. This option allows users of the "Raptor" release to benefit from the translations into the query language of the new version of the Falcon platform.

MITRE ATT&CK® Updated

We've updated the version of MITRE ATT&CK used in all products of the SOC Prime Platform from v14.0 to v14.1. To find out details on what's changed, see MITRE ATT&CK Release Notes.

New Bulk Actions

We've added the following bulk actions in TDM's Search:

  • Hide in Search

  • Mark as Deployed

Note that these actions are applied only to those selected content items to which they are applicable. The logic is as follows:

  • Hide in Search Results:

    • If at least one selected content item is not hidden, the button reads Hide in Search Results. Once clicked, all selected non-hidden content items become hidden and the selected hidden content items stay hidden.

    • If all selected content items are hidden, the button reads Unhide in Search Results. Once clicked, all selected hidden content items become unhidden.

  • Mark as Deployed:

    • If at least one selected content item has no translations marked as deployed, the button reads Mark as Deployed. Once you click it and confirm the selection of translations, the selected translations are marked as deployed for all selected content items. If a selected translation is not present in some content items, only selected translations that are present will be marked as deployed in those content items.

    • If all selected content items have at least one translation marked as deployed, the button reads Mark as Undeployed. Once clicked, all translations of all selected content items are marked as undeployed.

  • Add to List and Fork to My Repo:

    • These bulk actions are applied only to those selected content items that are available to you (with such statuses as Unlocked, Promo, Free Access). Unavailable content is skipped.

Deploy Modals Updated

We've removed redundant uneditable fields from the Deploy modals. Now, they include only the content item name, the Data Plane name, and the code to be deployed where the user can make any final tweaks.

Minor Look and Feel Improvements

We continue to make the look and feel of the SOC Prime Platform more modern and consistent across pages. This includes the following updates:

  • Hover state of some items in lists, action icons, and buttons

  • Some page and section titles

  • Some column headers

  • Search fields in Platform Settings

Content Action State Icons Updated

We've updated the icons that represent content action states to make them more intuitive and avoid mixing them up with other icons.

Action State

Old Icon

New Icon

Not Viewed

No icon

Viewed

Downloaded

Deployed

Attack Detective

Chronicle Security Support

We've added support for Chronicle Security. You can set up a Chronicle Security Data Plane in Platform Settings > Data Planes.

  1. Click Add Data Plane.

  2. Name your profile, select Chronicle Security as your platform, and choose if you want to share the profile with your teammates. A shared Data Plane will be available for using, viewing, and editing to all users from your organization.

  3. Select Attack Detective as a place to use the Data Plane.

  4. Fill in the fields that appeared in the Configuration section:

    • Chronicle Security URL. The URL of your Chronicle Security web console that you can copy from your browser

    • Project ID

    • Private Key ID

    • Private Key

    • Client Email

    • Client ID

    • Auth URI

    • Token URI

    • Auth Provider x509 Cert URL

    • Client x509 Cert URL

    • Region

    Note:

    You need to have API access under your Chronicle Security subscription with the appropriate permissions to read resources. Request the Chronicle API credentials from your reseller or dedicated Google Partner Team. When you have the credentials, import them by clicking Import JSON at the bottom of the Data Plane configuration screen.

  5. Optionally, set the following setting:

    • Default Custom Field Mappings. Select the Custom Field Mapping profiles you would like to assign to this Data Plane.

  6. Click Save Changes.

  7. Check the connection status of the newly created Data Plane on the Data Planes page:

    • If the status is Connected, the Data Plane integration is ready for use.

    • If the status is Disconnected, see the information in the tooltip and check the entered credentials.

Once a Data Plane is created, you can use it in Investigations. Note that Investigations in Chronicle Security involve certain constraints imposed by the Chronicle Security API limitations:

  • Chronicle Security API has a rate limit of 60 queries per 30 minutes. We recommend using scenarios to limit the number of queries in a scan to keep scanning time reasonably short.

  • Blind Spots are not available due to the Chronicle API limitations.

  • The maximum supported number of log sources is 60. If you have more log sources, please contact us.

  • It's impossible to get the total number of users and assets. Only the number of affected users and assets will be available in the statistics.

  • We do not recommend using the same API token for multiple scans simultaneously since it may substantially decrease the scanning speed.

Uncoder AI

Hot OSINT Indicators

Now, you can use Search in Uncoder AI to get access to packs of hot OSINT indicators. The packs are prepared by our content team and contain Indicators of Compromise related to a particular threat.

You can search IOC packs by their name or the author of the IOCs.

Editing Intelligence

When saving a rule to a custom repository, you can now fill in or edit its basic Intelligence fields:

  • MITRE ATT&CK® fields:

    • Tactics – names or IDs. You can check the full list of possible values here

    • Techniques and sub-techniques – names or IDs. You can check the full list of possible values here

    • Tools/Software – names or IDs. You can check the full list of possible values here

    • Actors/Groups – names or IDs. You can check the full list of possible values here

  • Additional tags:

    • Log sources – log source category, product, or service in the Sigma rule + any custom value (saved custom values will be available for selection in the dropdown options across your organization)

    • Custom – any custom value (saved custom values will be available for selection in the dropdown options across your organization)

Click the Parse Metadata button to automatically parse available values from the Sigma rule.

Note:

  • Parsing is not available for content in other languages yet

  • If you use parsing, all manual input in both MITRE ATT&CK and Tags sections will be overwritten

Once you've saved a rule in a custom repository, you can view its intelligence right in Uncoder AI by clicking the Intelligence button.

You can also view the saved metadata in TDM, on the Intelligence tab of your rule's page.

The Prime Hunt

We've released v 1.4.2, which features the following updates:

  • Added support for Chronicle Security

  • Added the possibility to set up mail templates to easily share IOCs. To learn more about the functionality, see the corresponding section of the Readme on GitHub.

  • Made minor improvements in the extension's architecture

Key Bug Fixes & Improvements

With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:

  • Resolved an issue in Automation where some Elastic Stack Detection Rules did not get into Inventory after synchronization

  • Fixed a bug that resulted in wrong statistics displayed on the Top Authors dashboard on the Threat Bounty Portal

  • Made the Account menu close automatically once the Collaborate menu has been opened

  • All elements of the Help Center now open in a new tab

  • Threat Bounty Bot now does not add parent MITRE ATT&CK® techniques automatically to indicated sub-techniques

  • Fixed a bug where under certain conditions the Delete bulk action button wasn't displayed if only one content item was selected in a custom repository

  • Fixed a bug where certain rules were not deployed into Elastic Stack through the TDM API Integration Tool

Did this answer your question?