June 13, 2024
Β© 2024 SOC Prime Inc.
All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
Threat Detection Marketplace
Bulk Translation Flow
We've added the capability to translate content from a custom repo in bulk. Currently, this feature is supported only for translations from IBM QRadar Rules into Palo Alto Cortex XSIAM Queries.
The process of bulk translation is as follows:
Start the bulk translation flow in one of two following ways:
Open your repository, select certain content items with checkboxes, and click Translate To in the bulk actions menu that appears. Note that in this way you can select only those content items that are currently displayed on the screen.
On the Repositories page, click the tree dots icon next to the repository and select Bulk Translate. Note that in this way all supported content from the repository will be translated.
In the Bulk Translation Settings modal that appears, ensure the source and target formats are correct and click Translate. Each translation will be stored together with its source in your custom repository.
Once the bulk translation is done, the Translation Results modal appears. Click Finish.
The Search page with your repository is displayed. Each content item that was run through the bulk translation process has a translation status on the right:
Translated β the content item was successfully translated and saved.
Partial β the content was partially translated and saved. This means that some components of the source, such as functions, could not be translated into the target. You can check the list of these components in the comment in the target code.
Failed β the content failed to translate. You can check the reason in the error message.
Click the status to open the content item's page in Threat Detection Marketplace or hover over the status and click Go to Uncoder in the tooltip that appears to open the content item directly in Uncoder AI.
Note that content that doesn't include source language items is not translated and, accordingly, the translation status is not displayed for it.
Once the translation is done, review its results from the repository with translated content. For each content item:
Hover over the translation status and click Go to Uncoder in the tooltip that appears to open the content item directly in Uncoder AI.
The source and the target are opened in Uncoder AI. Review the translation. Note that:
Unsupported functions in Partial translations are listed in the comment
For Failed translations, the error message contains the reason why it was impossible to translate the source
Once you've reviewed the translation, save it and change the translation status to Reviewed:
For the target format, click Save As > Update to my Rule.
In the Save As Update menu that appears, change the translation status to Reviewed and click Save.
The new translation status will be displayed on the Search page for this content item
Translation Enhancements
We've improved the CrowdStrike-Query-Language-(CQL) alternative translation into CrowdStrike Endpoint Security by making queries case-insensitive using regexes.
Uncoder AI
Threat Bounty Program in Uncoder AI
We've extended Uncoder AI functionality to enable members of the Threat Bounty Program to contribute content. This ensures that authors can use the best capabilities to write and validate their rules.
The Threat Bounty Portal, which previously was used for submitting content, has been sunsetted.
Read this article in our Help Center to learn more about using Uncoder AI for the Threat Bounty Program.
IOC-Based Queries for AWS OpenSearch
We've added support for generating IOC-based queries for AWS OpenSearch.
Attack Detective
Navigation Tabs
We've improved navigation by replacing the following navigation icons with tabs:
Scan Overview
Data Audit
Scan Results
Legal Documents Updated
We've updated the following legal documents to ensure they reflect all the changes in functionality of the SOC Prime Platform:
Pricing Page
We've updated the pricing page for Threat Detection Marketplace and Uncoder AI to reflect the new Enterprise subscription plans.
Key Bug Fixes & Improvements
Added the IBM QRadar logo to the corresponding Data Plane names on the Data Planes page
Improved Green Warden by adding support for the
windashSigma modifierGenerated translations into Hunters that were missing on Threat Detection Marketplace after the initial release of support for this platform
Added escaping of the backslash in Elastic Query (EQL) and Elastic Detection Rule (EQL)
Fixed a bug where downloading a report sometimes failed on the Dashboards page
Fixed bugs on the History page:
A bug where content type sometimes was indicated in the wrong way
A bug where the Action by field showed null when the username was not available
Fixed image alignment on icons on a rule's page in Threat Detection Marketplace
Fixed issues with the adaptive layout on the History page
Added adaptive layout of the SOC Prime Platform header for smaller resolutions
Fixed a bug where the Audit Configuration, Triage Recommendations, and False Positives fields were not filled for some recently published rules
Resolved issues with checking connection to a Microsoft Defender for Endpoint Data Plane
Improved performance of Uncoder AI's editor and fixed a bug where the undo hotkey (ctrl/command + z) did not work in the editor's input field