October 2, 2024
© 2024 SOC Prime Inc.
All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
Contents
Content Audit Directly from Repo Support
With this release, performing a Content Audit is possible directly via a Custom Repository rather than first connecting to the Data Plane. To take advantage of this functionality:
On the Setup Content Audit page, select Content from > Repository.
Select a certain Repository* from the list of available options.
From the Select Platforms drop-down, select the specific content type you would like to include in the Content Audit for analysis in this repo. Currently, one content type is available for each selected platform.
*Please note that this repository should be already created and saved to a Custom Repository. We recommend choosing an empty Repository because otherwise the Content Audit results will be affected by the pre-existing content, which already is stored in the selected Repository.
Data Audit Improvements: Elastic Indices Updates
As part of Data Audit enhancements, we’ve streamlined the data collection process when pulling the list of indices from Elastic by adding support for data streams.
Also, the latest update introduces enhanced Data Audit functionality for Elastic On-Prem, improving the Log Sources section of the Data Audit results. Users can now access a comprehensive list of indices that are empty or not associated with a specific log source. This enhancement enables mapping log sources manually to check the MITRE ATT&CK coverage.
Data Plane Number Limitations per Scan
With the latest Attack Detective release, we’ve limited the number of Data Planes that can be included in one scan (for both “Rules for Alerting” and “Threat Hunting” use cases). On the Setup Threat Scan page, users can now select up to 5 different Data Planes, and once selected, other Data Plane options in the drop-down list will be disabled.
Exclude Content in Scans
With the latest release of Attack Detective, we've introduced a new Exclude Content feature for the Scans functionality. This enhancement allows users to filter out irrelevant content from future scans, streamlining the investigation process.
To use the Exclude Content functionality:
Access the Scan Results:
• After running a threat scan, navigate to the Scan Results page.
Exclude Irrelevant Content:
• Open the rule you wish to exclude from future scans and click the Exclude from the next scans button. This will exclude the selected content item from the specified Data Plane.
• If the scan spans multiple Data Planes, use the drop-down list to select the relevant Data Planes where you want the exclusion to apply.
3. View Excluded Content:
• To review content that has been excluded from future scans, go to the Threat Detection Marketplace Search page, click on More Expert Filters, and enable the Excluded in Scans filter.
4. Manage Excluded Content by Data Plane:
• To see which Data Planes a content item has been excluded from, open the rule in Threat Detection Marketplace and click the Exclude from Attack Detective Scans button.
• To exclude the item from additional Data Planes, select them from the drop-down menu and click Save.
5. Reverting Exclusions:
• To restore excluded content to scans, open the rule in Threat Detection Marketplace, click the Exclude from Attack Detective Scans button, remove the Data Planes from the exclude list, and click Save.