SOC Prime operates the largest and most advanced platform for collaborative cyber defense enabling global organizations to efficiently search for emerging threats at lightning speed. SOC Prime’s Detection as Code platform curates the most up-to-date Sigma-based threat detection content and integrates with more than 25 SIEM, EDR, and XDR platforms. An extensive collection of 180,000+ verified and context-enriched detection and response algorithms is continuously updated and aligned with the MITRE ATT&CK® framework to ensure increased visibility into threats matching the organization’s attack surface.
In this blog article, we’ll cover the most important capabilities of SOC Prime’s platform aimed to simplify and maximize the efficiency of SOC operations for teams using the Humio cloud-based solution.
New users of SOC Prime’s platform are prompted to perform a one-time guided setup process using the onboarding wizard designed to tailor the platform experience to the organization-specific environment. This customized setup is designed to boost threat detection capabilities and threat hunting velocity, and drive immediate value from SOC Prime’s solution.
Current SOC Prime subscribers will also be prompted to populate missing settings to customize the platform experience to their security needs and instantly maximize their threat detection and hunting experience. To begin, click Open Wizard from the notification that appears on top of each screen and proceed with the settings.
Throughout the entire setup procedure, Humio customers can watch brief video tutorials in the Tips section on the right designed to simplify the onboarding experience. Alternatively, they can reach out for help in one of the following ways:
For Humio users, the onboarding process involves the following five steps:
Please note that once set up, this Search Profile can be applied to the Advanced Search page, MITRE ATT&CK® Coverage, and Log Source Coverage dashboards to adjust your content search to actual environment needs.
To get an API token, go to your Humio Cloud instance and click Manage Your Account linked to the repository you want to use for the integration. Then select API tokens from the Account settings and click the Generate new API token button. On the pop-up that appears, click the Renew token button, copy the newly generated token and then paste it into the API Token field on SOC Prime’s onboarding wizard.
Once configured, click the Check Connection button. If the connection is successful, you’re done with the Humio integration and are all set to unleash the full power of SOC Prime’s platform.
To reach the entire collection of Humio detection rules, select Discover > Advanced Search after logging into SOC Prime’s platform. Security practitioners can filter content by the Humio platform or by Humio-specific content types — Alerts or Queries. Once applied, drill down to the content item page to reach the detection source code convertible to the Humio cloud-native language format.
Please note that after setting up the onboarding wizard for your Humio environment, the content item page will automatically display the rule source code in the corresponding platform format. There is no need to filter content by the Humio platform beforehand.
Depending on the selected content type, you can choose one of the following automated detection capabilities tailored to your Humio environment*:
*These actions are available after completing the Environment Integration setup at step 5 of the onboarding wizard. For both automated search and deployment actions, you need to select one of the pre-configured environments.
Alternatively, you can manually copy the source code via the Copy to Clickboard button and then instantly paste the Humio Query or Alert to your cloud environment and run the detection rule.
Teams can automatically stream Humio Alerts directly into their cloud-native environment via the Continuous Content Management (CCM) module available under the Automate category of SOC Prime’s platform. Powered by Humio’s API, this functionality allows organizations to stay on top of both emerging threats and strategic detection objectives without having to manually search for or download content from SOC Prime’s platform.
Please note that before leveraging the CCM module, Humio customers should have enabled API access to their Humio subscription, which can be pre-configured at step 5 of the onboarding wizard.
SOC Prime users can leverage the following CCM capabilities:
To gain more insights into the automated content management capabilities, please refer to the dedicated blog article.
After configuring the hunting environment at step 3 of the onboarding process, Humio customers can leverage SOC Prime’s hunting tools to search for threats faster and simpler than ever before.
Quick Hunt allows teams to easily hunt without an expert background in the field. To get started, select Hunt > Quick Hunt and browse the query list sorted by top trending detections by default. Your Humio platform will be pre-selected at once along with the pre-configured environment according to the onboarding settings. In addition, you can also select an existing Custom Field Mapping profile or set up a new one for hunting on non-standard log data. Please refer to the dedicated article section on how to configure the log source-based Custom Field Mapping profile.
Make sure you are logged into Humio Cloud before running a Quick Hunt Session.
Click Hunt to run a selected query directly in your Humio environment and then share feedback with your peers on your hunting experience. Providing feedback contributes to the collective global expertise enabled by SOC Prime’s platform and helps make hunting more efficient while continuously enhancing detection content quality and volume.
Uncoder CTI is designed to accelerate IOC-based threat hunting and allows instantly generating IOC queries fine-tuned for organization-specific environment needs.
Please note that after configuring the platform-dependent onboarding wizard, Humio will be automatically set as a hunting environment for Uncoder CTI sessions.
Humio users can hunt with Uncoder CTI in just a matter of clicks:
Notably, SOC Prime users can make the most of Uncoder CTI free of charge through May, 25, 2022.
Uncoder.IO is an online translation engine intended to dissolve the boundaries of a single tool for hunting and detecting threats that enables converting Sigma-based detections to 25+ SIEM, EDR, and XDR formats. To automatically translate Sigma rules to the Humio format, take the following steps:
Join SOC Prime’s Detection as Code platform to tap into the power of global industry collaboration enabling teams to keep up with the ever-increasing attack volume and proactively defend against complex and continuously growing digital threats. By harnessing the collective expertise of the world’s largest and constantly enriched detection content library, organizations can solve the challenge of creating a continuous volume of customized content suited for their unique SOC deployment environment. Individual researchers are also encouraged to join the ranks of collaborative cyber defense by sharing their detection content and being compensated for their contributions.