Skip to main content

SOC Prime Platform Product Release Notes 5.13.1

S
Written by Sergey Bayrachny

August 21, 2024

© 2024 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RBAC Extended

We've added to the Role-Based Control System (RBAC) more permission controls described below.

Repositories

Control the level of the Repositories permission of a role:

  • View Only. The role can view a Repository and its content, but cannot create, edit, or delete it

  • Create/Edit. The role can create a Repository as well as edit or delete their own Repositories or Repositories shared across their team

  • Administration. The role can view, edit, or delete Repositories of other users on their team including those Repositories that are not shared

Content Lists

Control the level of the Content Lists permission of a role:

  • View Only. The role can view a Content List and its content, but cannot create, edit, or delete it

  • Create/Edit. The role can create a Content List as well as edit or delete their own Content Lists or Content Lists shared across their team

  • Administration. The role can view, edit, or delete Content Lists of other users on their team including those Content Lists that are not shared

Save Rules to Repo

Control if the role can save (fork, delete) content to a Custom Repository:

  • Enabled. The role can save (fork, delete) content to a Custom Repository

  • Disabled. The role cannot save (fork, delete) content to a Custom Repository

Support for ECS Case Sensitive

We've added the ECS Case Sensitive data schema:

  • In Threat Detection Marketplace as an alternative translation option for the following platforms:

    • Elastic Stack SavedSearch

    • Elastic Stack Watcher

    • Elastic Stack Query (EQL)

    • Elastic Stack Query (Lucene)

    • Elastic Stack Detection Rule (EQL)

    • Elastic Stack Detection Rule (Lucene)

    • ElastAlert Alert

  • in Uncoder AI as an option for the translation of Sigma rules into the following target platforms:

    • Elastic Stack Kibana SavedSearch (JSON)

    • Elastic Stack Kibana SavedSearch (NDJSON)

    • Elastic Stack Rule (Watcher)

    • Elastic Stack Query (DSL)

    • Elastic Stack Query (EQL)

    • Elastic Stack Query (Lucene)

    • Elastic Stack Detection Rule (EQL)

    • Elastic Stack Detection Rule (Lucene)

    • ElastAlert Alert (Lucene)

    • ElastAlert Alert (DSL)

    • LogRhythm LR7 Query (Lucene)

    • NVISO EE-Outliers Query

    • AWS OpenSearch Rule (JSON)

Threat Detection Marketplace

Roota Repository

We've added a new Platform repository called Roota that includes content in Roota.

Sumo Logic Data Plane Updates

We've updated the configurations of a Sumo Logic Data Plane:

  • Now, to set up a Sumo Logic CSE Data Plane there's no need to expand and fill in additional fields. All the fields are the same for Sumo Logic and Sumo Logic CSE

  • Sumo Logic URL format has been updated and now is required for any type of configuration

Accordingly, we've updated the How to Get Credentials guide.

Uncoder AI

Extended Autodetect

We've extended the autodetect capabilities to support three additional formats:

  • Elastic Stack Detection Rule (TOML)

  • Splunk Alert (YML)

  • Microsoft SentinelRule (YML)

Note that translations from these formats is not supported.

Key Bug Fixes & Improvements

  • Fixed an issue where Microsoft Defender for Endpoint translations were generated for some source Sigma rules despite the strict mapping

  • Fixed an issue with Microsoft Sentinel translations for content that requires Syslog table: syslog_message field name was updated with SyslogMessage

  • Fixed a bug where the author field didn't parse properly when translating from Microsoft Sentinel Rule

  • Fixed a bug where drilling down from the Jobs page to the History page sometimes failed due to insufficient Job ID information being passed

  • Ensured the private key format for Chronicle Security Data Plane is properly validated before saving

  • Improved Splunk Datamodel mapping

  • Fixed a bug where the Custom Field Mapping profile dropdown was unavailable for AWS OpenSearch for some time

  • Resolved an issue where an error appeared after the user tried to search in Sumo Logic from a Rule's page

  • Improved the autodetect feature in Uncoder AI for cases when the user saves a rule

  • Resolved an issue where a Sigma rule was saved together with its translation when the user saved the Roota rule generated based on that translation

  • Fixed a bug where the search bar was inactive in the Select Platform dropdown of the Create New Data Plane modal

Did this answer your question?