Skip to main content

SOC Prime Platform Product Release Notes 5.13.0

S
Written by Sergey Bayrachny

August 7, 2024

© 2024 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

Uncoder AI

Language Autodetect

We've added source language autodetect based on AI prediction. It is applied automatically once the user pastes the code or stops writing it in the input editor.

If the user manually selects an option in the source language dropdown, the autodetection is no longer applied. To apply it, the user has to select the Detect Platform with AI option in the source language dropdown.

Supercharge Mode

We've introduced the Supercharge mode where you can turn a platform-specific rule or query into a Roota rule and enrich it with metadata using AI.

To enter the Supercharge mode, click the Roota icon:

  • If the input editor contains code, supercharging starts automatically

  • If no code is present, paste or write a query/rule and click Supercharge

When supercharging, the following Roota rules are filled using our proprietary technology and AI models:

  • tram-tags – MITRE ATT&CK tags predicted by our version of the TRAM LLM

  • timeline – key dates of the activities related to the threat the rule detects

  • logsource – possible log sources are defined where not specified in the original content. Additionally, the audit section is filled that specifies what logging service should be enabled to have the logs required and how to enable it

  • false-positives – Possible false positives or benign activities predicted by AI

  • triage_recommendations – Possible actions for validating and investigating malicious activity suggested by AI

Currently, supercharging is supported for the following formats:

  • Microsoft Sentinel Query

  • Microsoft Sentinel Rule

  • Splunk Query

  • Splunk Alert

  • Crowdstrike Endpoint Security Query

  • Elastic Stack Query (Lucene)

  • Elastic Stack Detection Rule (Lucene)

  • AWS OpenSearch Query

  • Falcon LogScale Alert

  • Falcon LogScale Query

  • Microsoft Defender for Endpoint Query

  • Sigma Rule

  • AWS Athena Query

  • Chronicle Security Query

  • Chronicle Security Rule

Additionally, you can look up for content in these formats and open them in the Search panel in the Supercharge mode. To filter by format, use the Choose Platform filter.

Once a Roota is generated, you can:

  • Save it and additionally generate a translation into any of the supported languages

  • Look up for similar content on Threat Detection Marketplace

Attack Detective

Use Cases

To improve and streamline the user experience, we've organized functionality with use cases:

  • Data Audit. Address threat detection blind spots with an actionable plan, generated by mapping data collected in your SIEM to ATT&CK. All finished Data Audits are listed on the Audits page.

  • Rules for Alerting. Discover the best Detection Rules for your SIEM, configure and deploy them to generate low-noise high-value Alerts. All finished Rules for Alerting Scans are listed on the Scans page.

  • Threat Hunting. Act faster than Attackers by automating routine Threat Hunting tasks, correlating findings with ATT&CK and latest CTI. All Threat Hunting Scans are listed on the Scans page.

  • Content Audit (сoming soon). Improve Threat Visibility by auto-mapping your Rules & Queries to MITRE ATT&CK with AI which does not leak your code. All finished Content Audits are listed on the Audits page.

You can navigate to each of the use cases right from the main page or a dedicated header menu.

The main difference introduced with this release is the final separation of Scans and Audits into two different entities.

  • Scans include two types of use cases: Rules for Alerting and Threat Hunting. A Scan does not have a full Data Audit as its part. It only shows identified log sources and attack visibility while offering no information on blind spots. To learn about the blind spots in your environment, follow the Data Audit use case. The default period for Rules for Alerting is 7 days, for Threat Hunting 24 hours

  • Audits include two types of use cases: Data Audit and Content Audit (coming soon). The result of an Audit is the spider charts that show the percentage of techniques in each tactic that can be detected with the existing log sources and potential attack visibility after implementing recommendations for resolving blind spots. The default period for a Data Audit is 90 days.

Audits and Scans are counted separately. The counters are shown on the Account Details page. Any failed scans are not counted towards subscription plan limits.

Exportable Reports

We've added the possibility to form XLSX reports based on scan results. Once generated, the report can be found and downloaded on the Reports page.

You can create the following reports:

  • For Scans:

    • Overview Report

    • Hitmap Content Report

  • For Audits:

    • Data Audit CSV

    • Data Audit DeTT&CT

User Session Termination

We've added a possibility for Managers to terminate the session of any user on their team. To do that:

  1. Go to Team Management.

  2. Click three dots next to the selected user name.

  3. Choose Terminate Session.

  4. Confirm the action in the modal that appears

  5. A success message appears at the top of the screen.

Key Bug Fixes & Improvements

  • Fixed a bug on the Search page where forking a rule to a custom repository failed under some circumstances

  • Corrected the use of regexes in CrowdStrike-Query-Language-(CQL) alternative translations

  • Resolved an issue where reverse translation from Chronicle Security could fail if capital letters were present in the code

  • Fixed an issue where the Subscribe icon was missing for the Solo plan in Uncoder AI

  • Fixed issues where deploying a Sumo Logic Query, Sumo Logic CSE Rule or Microsoft Sentinel rule from the rule's page failed under some conditions

  • Improved handling of the 429 errors when querying a Microsoft Defender for Endpoint Data Plane in Attack Detective to prevent failed Scans

  • Now backend error messages in Attack Dettective are displayed in modal windows to ensure usability

Did this answer your question?