Skip to main content

SOC Prime Platform Product Release Notes 5.11.0

S
Written by Sergey Bayrachny

May 15, 2024

© 2024 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RBAC

We've released a full-fledged Role-Based Access Control (RBAC) to ensure organizations have granular control over the access privileges of each user in their team.

Access control is managed in the following way:

  • The Manager invites, removes, and assigns roles to users on the Team Management page in Platform Settings

  • The Manager views the privileges of each role and creates new roles on the Roles page in Platform Settings

Team Management

This page replaces the My Team page. Here the Manager of an Organization can:

  • Invite users and assign them roles right away

  • Deactivate users

  • Assign roles to individual users or set a default role for all new users

  • Check basic user information

Roles

On this page, the Manager of an organization can:

  • View system roles and copy them to use as a basis for creating custom roles:

    • Manager

    • Threat Hunter

    • Detection Engineer

    • Analyst

  • Add, edit, copy, and delete custom roles

Role configuration lets you define the following access permissions:

  • Threat Detection Marketplace:

    • Unlock Content. Permission to unlock Premium rules using your organization's balance across the SOC Prime Platform

    • Premium Sigma limit. Optional. The total number of Premium rules all users with this particular role can unlock. Use this parameter if you want to limit the use of your organization's Premium rule balance for a certain group of your users

  • Platform Settings:

    • API access. This permission allows users to generate personal API keys and access the API functionality

    • User Management. Permission to invite, remove, and assign roles to users

    • Manage User Roles. Permission to create, copy, and remove user roles

The old permission levels were migrated in the following way:

  • View Only → Analyst

  • Can Unlock → Detection Engineer

  • Manager (old) → Manager (new)

MITRE ATT&CK® v15.0

We've updated the version of MITRE ATT&CK used in all our products to 15.0. You can learn what's changed in MITRE ATT&CK Release Notes.

Threat Detection Marketplace

GitHub moved to Integrations

We've moved the configuration of GitHub integration from Data Planes to Integrations. Now, to configure an integration with your GitHub repository:

  1. Go to Platform Settings > Integrations

  2. Click Add Integration

  3. Select GitHub in the Select Integration dropdown.

  4. Fill in the integration parameters and click Save Changes.

  5. Check the connection to your GitHub Repository to see if the integration has been configured successfully.

Custom Repositories Moved to the Header

Now, to navigate to your custom repositories, use the Repositories item in the header menu in Threat Detection Marketplace

Presets for Splunk Improved

Now, the parameter that prepends or appends text to the alert name is also applied to the values of the action.notable.param.rule_title and action.correlationsearch.label fields.

Update for AWS OpenSearch Data Planes

We've updated the format of the URL required for using the hunting functionality. Now, the user has to provide the URL of their web console (on the Discover page) ending with “/discover“.

Some API Endpoints Re-Enabled

We've re-enabled the TDM API endpoints related to content list management:

  • GET /v1/ccm/content-list

  • POST /v1/ccm/content-list

  • GET /v1/ccm/content-list/{list_id}

  • PUT /v1/ccm/content-list/{list_id}

  • DELETE /v1/ccm/content-list/{list_id}

  • POST /v1/ccm/content-list/{list_id}/add-rules

  • POST /v1/ccm/content-list/{list_id}/remove-rules

Some parameters of these endpoints were updated. You can find out more in the API user guide.

Uncoder AI

Cross-Platform Translation Quality

We've added the modal with cross-platform translation quality statistics. To view it, click the Accuracy hexagon button in the lower right corner of the screen.

In the modal, you can see the accuracy of translation for each pair of supported native formats using each available ruleset. Delta shows an increase or decrease in accuracy compared to the previous test.

Support for Functions in Splunk

We've added support for the following functions when translating from Splunk into Microsoft Sentinel:

  • where

  • values

  • rename

  • eval

  • dc

  • latest

  • earliest

  • fields

Attack Detective

Scan Schedules

Now, you can schedule regular or one-off scans. You can set up a scan to be repeated every x days, on the x day of every week, or on the x day of every month. To schedule a scan, click the down arrow next to the Start Scan button after you've chosen a hunting scenario. In the dropdown that appears, select Schedule Scan.

The Schedule Scan menu appears. Here you can set all the configurations.

Postponed One-Off Scan

To run a one-off postponed scan:

  1. Select Never for Repeat the Scan.

  2. Set the date and time then the scan should be launched.

  3. Click Schedule Scan.

Regular Scheduled Scan

To run a regular scheduled scan:

  1. Select Set Schedule for Repeaet the Scan.

  2. Set the Date till which the scan should be run on the set schedule in the Repeat till field.

  3. Set the scan schedule using the Run scan every, On, and At fields and set the time zone of the schedule.

  4. Select when to run the scan for the first time:

    • Now. The scan will be run for the first time right now. Then, the scan will be run on the set schedule

    • On Schedule. The scan will be run for the first time according to the set schedule

  5. Click Schedule Scan.

You can find your scheduled scan on the Schedules tab of the Investigations page. Click the Logs icon to view the status of each scan in the schedule.

Navigation Updates

  • Scan settings are now located on top of the scenario list, next to the Add Scenario button

  • Scenarios with no content are hidden. To see them, click Show Empty below the scenario list

Blind Spot Improvement

We've extended the supported log sources with Azure Active Directory and Office365.

Notification During Data Audit

We've added a notification shown to the user when Data Audit continues for more than 30 seconds. The notification says that the Data Audit is still in progress and will need some more time, but everything works fine.

Key Bug Fixes & Improvements

  • Made some Uncoder AI improvements:

    • Improved field mappings applied when translating from Splunk to Sigma

    • Fixed an issue where queries with comments failed to translate

    • In reverse translations from Splunk, added handling of by arguments in functions listed both with a comma or just with a whitespace

    • Now, in reverse translations into Sigma, any unsupported functions are added to a comment

    • Fixed field mapping for translations into Elastic Stack with certain log sources

  • Generated Non-UTF8-payload alternative translations for QRadar Queries in content where the translation was missing

  • Fixed issues with aggregation and rendering keywords in translations from Sigma to Microsoft Sentinel

  • Fixed syntax in the deviceProduct field in translations from Signa into ArcSight

  • Changed count to dcount in translations from Sigma into Microsoft Defender for Endpoint and Microsoft Sentinel where Sigma included a condition to count the distinct values of a specified field

  • Added missing escape characters to translations from Sigma into Chronicle Security

  • Resolved an issue with deployment into Elasticsearch where under certain conditions rules failed to deploy

  • Corrected a typo on the login page when the user tries to log in with SSO

  • Fixed layout issues with the search bar and source platform selection dropdown

  • Fixed the style of buttons on the Quick Hunt page and in the Professional Services modal on the Pricing page

  • Links from the Collaborate modal now open in a new tab

  • Resolved an issue in Automation where the user had to click the Run Now button several times to start the Job

  • Fixed bugs in Attack Detective:

    • A bug where the spider chart in Data Audit was not displayed if alternative translations were present

    • A bug where an attempt to calculate queries for multiple scenarios resulted in an error

Did this answer your question?