Uncoder AI: A Guide on Contributing Detection Rules to SOC Prime Platform via Threat Bounty Program

WRITTEN BY

Hanna Korostelova

Community Manager

[post-views]

October 07, 2024 · 4 min read

Uncoder AI: A Guide on Contributing Detection Rules to SOC Prime Platform via Threat Bounty Program

Table of contents:

Efficiency and collaboration are essential in cybersecurity. As part of the SOC Prime Platform, Uncoder AI is a a professional IDE & co-pilot for detection engiennering to streamline content creation and threat detection rule contribution. For those participating in the Threat Bounty Program, this tool makes it easier to contribute detection rules, collaborate with experts, and track the success of their contributions.

In this article, we’ll provide a step-by-step guide for contributors of threat detection rules on how to use Uncoder AI, from logging into the SOC Prime Platform to submitting your detection rules for review.

Step 1: Log into the SOC Prime Platform

To begin contributing detection rules, head over to the SOC Prime Platform and log into your account. Ensure that you use the same email address that you registered with for the Threat Bounty Program. If you’ve forgotten your password or haven’t set one up, don’t worry. Click on Get OTP, enter your email address, and hit Proceed. A six-digit one-time password (OTP) will be sent to your inbox. Use this OTP to log in and access your account.

Step 2: Set Up Your Custom Repository

Once you’ve logged into the Platform, the next step is to check if you have a custom repository where your rules and content can be saved. To do this, navigate to the Threat Detection Marketplace and select the Repositories section from the top menu. If you don’t have access to this, click on your account icon and look for the corresponding option in the menu.

If you already have a repository, you’re good to go. If not, create one by clicking Add Repository. Give your repository a meaningful name and add an optional description. This is where you’ll store the detection rules you create.

Step 3: Start Writing Rules with Uncoder AI

Now that your repository is set up, it’s time to use Uncoder AI to create detection rules. Navigate to the Uncoder AI section within the Platform by choosing the corresponding tab in the top menu. When contributing content to the Threat Bounty Program, select a template. There are two templates available:

Roota for Threat Bounty
Sigma for Threat Bounty

Pick the one that best fits your needs. The Author and ID fields will be pre-filled to save time and make the process more efficient.

Step 4: Save and Validate Your Rule

After writing your rule, save it to your custom repository. To do this, click Save As New Rule, ensure no changes are needed, and hit Save.

Next, validate your rule using Warden, the validation tool within the Platform. It’s crucial that the rule passes validation, as errors will prevent your rule from being accepted. Address any issues identified by Warden to ensure the rule is ready for submission.

Step 5: Submit Your Rule for Review

Once your rule is saved and validated, you can submit it for review. Click Contribute, and you’ll see the Threat Bounty Contribution section. Here, you can track the history of the rule, including when it was saved and submitted for review.

After submitting, the rule is now in the review stage, awaiting feedback from the SOC Prime team. You’ll be notified by email once the review is complete. If the rule meets the required quality standards, it will be published on the Threat Detection Marketplace.

Step 6: Review Results and Iteration

If the rule doesn’t pass the review, it will be returned with suggestions for improvement. You can see the exact reason for the Returned status and make the necessary adjustments. Once the corrections are made, resubmit the rule for another review.

The iteration process continues until the rule meets the necessary standards. After each iteration, you will be notified via email.

Step 7: Rule Publication and Tracking Performance

Once the rule is approved and published, it will be available on the Threat Detection Marketplace. You can monitor its performance and track how often it’s downloaded and deployed. The Platform also provides statistics on the rule’s usage.

All of this information is available in the Detection Rules Search section of Uncoder AI, under My Repositories. Simply click on a rule to see its status, history, and contribution details.

Conclusion

Uncoder AI is a powerful tool that simplifies the creation and contribution of detection rules within SOC Prime’s Threat Bounty Program. By following this guide, you’ll be able to navigate the process from setting up your repository to publishing and tracking the success of your rules.

The ability to collaborate with industry experts and track the real-world usage of your contributions makes Uncoder AI an essential tool for cybersecurity professionals. So, get started today and contribute to a safer digital world.

Was this article helpful?

Like and share it with your peers.

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free Book a Meeting

Blog, SIEM & EDR — 5 min read

Practical Guide to Converting IOCs to SIEM Queries with Uncoder AI

Alla Yurchenko

Blog, Latest Threats — 4 min read

UAC-0001 aka APT28 Attack Detection: Leveraging PowerShell Command in Clipboard as Initial Entry Point

Veronika Telychko

Blog, Latest Threats — 4 min read

CVE-2024-47575 Detection: FortiManager API Vulnerability Exploited in Zero-Day Attacks

Veronika Telychko

Name	Descripiton
PHPSESSID	Preserves user session state across page requests. Cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is normally a random generated number, how it is used can be specific to the site, but a good example is maintaining a logged-in status for a user between pages.
sp_i	Used to store information about authenticated User.
sp_r	Used to store information about authenticated User.
sp_a	Used to store information about authenticated User.

Name	Descripiton
tuuid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
tuuid_last_update	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
um	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
umeh	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
na_sc_x	Used by the social sharing platform AddThis to keep a record of parts of the site that has been visited in order to recommend other parts of the site.
APID	Collects anonymous data related to the user's visits to the website.
IDSYNC	Collects anonymous data related to the user's visits to the website.
_cc_aud	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_cc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_dc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_id	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
dpm	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
acs	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
clid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
KRTBCOOKIE_#	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PUBMDCID	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PugT	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
ssi	Registers a unique ID that identifies a returning user's device. The ID is used for targeted ads.
_tmid	Registers a unique ID that identifies the user's device upon return visits. The ID is used to target ads in video clips.
wam-sync	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
wui	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
AFFICHE_W	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
B	Collects anonymous data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The registered data is used to categorise the users' interest and demographical profiles with the purpose of customising the website content depending on the visitor.
1P_JAR	These cookies are used to gather website statistics, and track conversion rates.
APISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
HSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
NID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SAPISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SIDCC	Security cookie to protect users data from unauthorised access.
SSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
__utmx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.
__utmxx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.

Name	Descripiton
_hjid	Hotjar cookie. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInSample	This cookie is associated with web analytics functionality and services from Hot Jar, a Malta based company. It uniquely identifies a visitor during a single browser session and indicates they are included in an audience sample.
intercom-id-[xxx]	This cookie is used by Intercom as a session so that users can continue a chat as they move through the site.
intercom-session-[xxx]	Used to keeping track of sessions and remember logins and conversations.
demdex	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
CookieConsent	Stores the user's cookie consent state for the current domain.
__cfduid	Used by the content network, Cloudflare, to identify trusted web traffic.
ss	These cookies enable the website to provide enhanced functionality and personalisation . They may be set by us or by third party providers whose services we have added to our pages. These services may include the Live Chat facility, Contact Us form(s), the Product Quotation forms and submission process, and the Email Newsletter sign up functionality .

Name	Descripiton
_ga	This cookie name is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page. Registers a unique ID that is used to generate statistical data on how the visitor uses the website. request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.
_gat	Used by Google Analytics to throttle request rate. This cookie name is associated with Google Universal Analytics, according to documentation it is used to throttle the request rate - limiting the collection of data on high traffic sites. It expires after 10 minutes.
_gid	This cookie name is asssociated with Google Universal Analytics. This appears to be a new cookie and as of Spring 2017 no information is available from Google. It appears to store and update a unique value for each page visited. Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
IDE	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
r/collect	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
test_cookie	Used to check if the user's browser supports cookies.
collect	Used to send data to Google Analytics about the visitor's device and behaviour. Tracks the visitor across devices and marketing channels.
ads/user-lists/#	These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.
c	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
khaos	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
put_#	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpb	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpx	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
tap.php	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.

Uncoder AI: A Guide on Contributing Detection Rules to SOC Prime Platform via Threat Bounty Program

Step 1: Log into the SOC Prime Platform

Step 2: Set Up Your Custom Repository

Step 3: Start Writing Rules with Uncoder AI

Step 4: Save and Validate Your Rule

Step 5: Submit Your Rule for Review

Step 6: Review Results and Iteration

Step 7: Rule Publication and Tracking Performance

Conclusion

Table of Contents

Was this article helpful?

Related Posts

Uncoder AI: A Guide on Contributing Detection Rules to SOC Prime Platform via Threat Bounty Program

Step 1: Log into the SOC Prime Platform

Step 2: Set Up Your Custom Repository

Step 3: Start Writing Rules with Uncoder AI

Step 4: Save and Validate Your Rule

Step 5: Submit Your Rule for Review

Step 6: Review Results and Iteration

Step 7: Rule Publication and Tracking Performance

Conclusion

#ez_toc_widget_sticky-2 .ez-toc-widget-sticky-container ul.ez-toc-widget-sticky-list li.active{ background-color: #ededed; } Table of Contents

Was this article helpful?

Related Posts

Table of Contents