March 6, 2024
© 2024 SOC Prime Inc.
All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
Threat Detection Marketplace
Personal API Keys
Now, each user of an organization that has access to the SOC Prime Platform API can generate personal API keys.
Go to Account icon > Platform Settings > API to see all your existing keys or generate a new one.
To create a new key:
Click Add New Key.
In the modal that appears:
Give your key a meaningful name.
Set the expiration date.
Optionally define allowed IPs.
Select the product APIs the key provides access to.
Click Generate.
The API Key Generated modal appears. Copy the key and save it in a safe place. You won't be able to view it again once you close this modal. The key is stored in an encrypted format.
Each user can create up to 20 keys.
Note:
Old API keys were migrated for the organizations that had been using API and assigned to a member of the respective team.
Connection Check for More Platforms
We've added support for checking connection to a Data Plane for more platforms:
Splunk (Attack Detective integration with cloud and on-prem environments)
Microsoft Defender for Endpoint (Attack Detective integration)
OpenSearch (Attack Detective integration)
New API Endpoints
We've added the following new Threat Detection Marketplace API endpoints:
GET
/check-connection– check if the API key is activeGET
/custom-repositories– get custom repositories available to the userGET
/mitre-attack-tags-values– get the list of available MITRE ATT&CK® tagsPOST
/custom-content– save a content item to a custom repository
Attack Detective
With this release, we've implemented multiple improvements:
Added a column with the scenario name and period on the Investigations page
Now, when creating a custom scenario, you can select content from a custom repository and/or by running a Lucene search
In Blind Spots, the details are now expanded by default starting from level 2
Improved the UX of calculating the maximum number of queries that match a selected scenario
Now, against each log source in Data Audit, we show the total number of matching queries and the number of queries actually available under the current subscription plan
Made multiple UI improvements
Now, when setting up an Investigation, the user can select either on-prem or cloud platforms without the possibility of combining them
Improved the error messages during Data Audit. Now, the user can see the error message received from their platform
Added Audit Configuration column to the CSV exported from Blind Spots
Key Bug Fixes & Improvements
With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:
Resolved the issue that resulted in an error when the user tried to log in with Microsoft
Resolved issues and made improvements in Attack Detective:
Resolved an issue where the user after returning to a running Data Audit sometimes could see an empty page
Fixed spider chart layout on large resolutions
Added Audit Configuration sections to the Demo Investigation Data Audit
Resolved an issue where a warning message was displayed to the user who configured Data Audit for the same Data Plane as in an already running Data Audit and then changed the Data Plane
For Splunk Data Planes, we've removed the 24-hour limits for the Data Audit queries to avoid mismatches in tables
Fixed a bug where the left-panel filters in Scan Details were empty after opening and the items appeared after hiding and showing them again
Fixed the colors on the Data Audit spider charts and the spider chart layout on large resolutions
Fixed a bug where export as CSV in Data Audit showed duplicated information for blind spot suggestions
Fixed a bug when the user's time zone was not taken into account during Data Audit querying
Fixed a bug where the Actors filter was reset to All when the user changed the view of Blind Spots
Resolved issues with displaying coverage on the spider chart in Blind Spots
Fixed a bug in Uncoder AI where unnecessary escape characters were sometimes added to Elastic Query (Lucene) translated from Elastic Detection Rule (Lucene)
Resolved an issue where a custom rule in JSON with invalid field values didn't display on the rule's page in Threat Detection Marketplace
Fixed a bug in Automation where a Job with multiple Data Planes was displayed in the UI as multiple Jobs, one for each Data Plane
Updated tooltips and placeholders in the Create Data Plane modal for Splunk
Updated the informational message about deploying detection content to an Elastic Stack Data Plane in the Create Data Plane modal for Elastic Stack
Improved the UI in Ancoder AI: now, Intelligence sections can be expanded/collapsed with a click in any area within the section rather than only on the plus/minus icons
Fixed the alignment of the action icons on the Global tab of the Filters page
Resolved an issue where a Custom Field Mapping in rare cases could fail to apply to content downloaded via API
Fixed the handling of possible errors when deploying Elastic Stack Watchers
Fixed the issue with Inventory synchronization where in some cases the synchronization didn't run on time
Improved the text of the Check Connection error message when a Microsoft Sentinel or Sumo Logic Data Plane is disconnected
Fixed a bug in Uncoder AI where some sections of Intelligence were not displayed during editing the Intelligence of an existing content item