Threat Detection Marketplace 4.11.0 Is Released

June 04, 2021

On June 2, 2021, we released Threat Detection Marketplace version 4.11.0 to add new hot features and master the existing functionality of our Detection as Code platform. With this latest update, we introduce the support for MITRE ATT&CK® framework v9, initiate a new multi-language ATT&CK project, provide major content quality enhancements, polish the Detection Engineer’s role-based platform experience, and fix a list of minor bugs to resolve issues reported by our customers.

MITRE ATT&CK V9 Support

This Threat Detection Marketplace update introduces the support for the latest MITRE ATT&CK® framework v9. One of the key enhancements is adding the support for ATT&CK Sub-techniques that were not available prior to this platform release. To explore the latest innovation, you can read our dedicated blog article describing all corresponding upgrades.

MITRE ATT&CK® Map: Multi-Language Initiative

To help Security Teams worldwide adopt the best-proven practices, we have come up with an idea of the MITRE ATT&CK Map available in their local language. To make this initiative real, with this release, we have launched the new multi-language ATT&CK project. SOC Prime’s customers can now click the drop-down list with the list of available languages identified by the flag icon available on the https://attack.socprime.com/#!/ webpage.

By selecting one of the languages, security performers will be redirected to the corresponding webpage version. We are looking forward to receiving support from our cybersecurity community for improving the translation quality. SOC Prime welcomes security enthusiasts across our global community to come up with their translation suggestions by leaving their contact email, so we can get in touch and collaborate on the project’s multi-language support.

Detections View: Detection Engineer’s Role-Based Experience

SOC Prime is aimed at providing security practitioners with role-based experience using Threat Detection Marketplace addressing the most relevant use cases and procedures their professional role involves. With this release, we’ve implemented the content search functionality tailored to the Detection Engineer’s security needs.

Detection Engineers can switch to their tailor-made view mode by selecting the Detections tab from the Browse Content By functionality on the Content page. For the most personalized role-based experience, the Detections view mode displays all highly relevant filters at once, which can help Detection Engineers analyze the latest threats and adversaries at a glance, as well as streamline the continuous log management delivery as part of their daily procedures.

The content list is arranged accordingly to simplify the process of defining attack priorities and enabling continuous event collection by displaying the following details under the corresponding columns:

Type
Author
Log Source Product
Log Source Category
Log Source Service
Event ID
Data Source

The Detections view mode also adds to a more streamlined and intuitive content sorting using the corresponding icons:

Recommended (default option)
Google Chronicle
Microsoft

Log Source Product Filter Improvements

To streamline the content search and personalize the platform experience for our customers, we’ve introduced improvements to the Log Source Product filter logic for the Expert and Detections view models. Particularly, new three fields have been added to the Lucene query dictionary to enable content filtering by the log source product:

tags.category
tags.product
Tags.service

To keep Threat Detection Marketplace users informed on the latest platform changes, we’ve updated the Lucene Search section in our dedicated Help Center guide. Now the platform guide displays three new fields based on the newly added log source categories that can be used in the search queries when switching to the Lucene syntax.

Moreover, to maintain consistency with the Log Source Product filter enhancements across the entire platform functionality, we’ve reduced several fields previously available in Rule Master. Now security performers will see a single Log Source Product option instead of a set of deprecated filters, such as Application, Firewall, Network Equipment, Operating System, Proxy, etc. Removing these filters makes the profile customization flow faster and more intuitive.

Content Quality Enhancements

At SOC Prime, we’re constantly striving to improve the content quality when translating Sigma behavior-based detections to various SIEM, EDR, and NTDR language formats.

Elastic Stack Translation Improvements

The latest Threat Detection Marketplace version 4.11.0 provides improvements to Elastic Stack language format. For an even more intuitive threat detection experience, we’ve updated all options with alternative translations in the Config drop-down list to make them consistent across all content types available for the Elastic Stack platform. Elastic customers can now see the same options in the Config drop-down list no matter what content type has been chosen — Query, Detection Rule, Saved Search, Watcher, or ElastAlert:

winlogbeat6
ci-winlogbeat6
ci-winlogbeat7
corelight

Metadata for Chronicle Translations

For an improved threat detection experience of Google Chronicle customers, we’ve recently added the ability to include more detailed metadata when translating Sigma rules to the YARA-L language format. The newly added meta parameter can now contain the following additional information when converted from the Sigma language:

Reference to the source links, including the Threat Detection Marketplace reference
Rule status
Custom tags from Threat Detection Marketplace, including “Community” or “Exclusive”
False positives
Level

Sigma Rules with Multiple Log Sources

Sigma behavior-based detections that contain multiple log sources are known to cause issues when translating them into various language formats. We’ve hit a snag when such Sigma rules were wrongly translated with a single log source instead of multiple ones. With this release, we’ve improved a number of translation issues related to such types of Sigma rules, including those for Azure Sentinel, Google Chronicle, and the Elastic Stack. As a result, Sigma detections with multiple log sources are properly translated to other language formats.

Cyber Library Updates: New Content Guide for Creating Rules in the Google Chronicle Instance

At SOC Prime, we’re constantly looking for ways to share cybersecurity knowledge across our global community. With this in mind, we have created the Cyber Library that provides free access to content guides for the majority of SIEM, EDR, and NTDR solutions powered by Threat Detection Marketplace. This latest update introduces a deep dive content guide for creating YARA-L rules from scratch right in the customers’ Google Chronicle instance with detailed guidelines and examples.

Key Bug Fixes & Improvements

With this release, we’ve made the following bug fixes and improvements to Threat Detection Marketplace:

1) Platform experience improvements:

Fixed the issue with the HTML entity (&amp) display in the rule descriptions on the Content page when the MITRE ATT&CK view mode is selected. After the update, the ampersand is properly displayed in rule descriptions as in “ATT&CK” instead of the HTML entity:

Updated the number of rules displayed for users with the Limited Access subscription that appears as a message prompting them to switch to a corporate email address for a more insightful platform experience.
Fixed the issue with the Unlock icon display in the Recommended Premium Apps section when opening Exclusive content. After resolving this issue, Threat Detection Marketplace users will no longer see this icon for content items available for access.

Fixed the data display on the Detection Quality Increase pop-up when drilling down to the content details from the Dashboard page. Before this release, the Detection Quality Increase pop-up failed to display all the columns properly.

2) Fixed the position of the tooltip icon next to the Vulnerability Management Specialist role in the Role and Platform section of the user profile:

3) In the Cyber Library:

Fixed the scroll bar position for webinar registration pop-ups in the Cyber Library to ensure a more consistent user experience across the entire platform.
Fixed the issue with the webinar video display in the fullscreen mode for Safari browsers.

4) Fixed the issue with downloading Rule Packs for users with the Community subscription who have reached the content download limit for their subscription plan. From now on, users will be redirected to the Upgrade page and promoted to upgrade their subscription to increase their content availability options.

5) On the Leaderboards page:

Improved the logic for the consistent display of the content amount on the Leaderboards > Release Dynamics chart and on the Content page based on the same filters. The issue occurred when comparing this amount on the Release Dynamics chart and then drilling down to the Content page filtered by the corresponding Lucene query.

Fixed the issue with the data display on the All Content Linked With MITRE ATT&CK chart when switching between various time ranges:

Get a free subscription to Threat Detection Marketplace, an industry-leading Content-as-a-Service (CaaS) platform that powers complete CI/CD workflow for threat detection by providing qualified, cross-vendor, and cross-tool SOC content. Our library aggregates 100K+ SIEM and EDR algorithms tailored to the company’s environment and threat profile. The detections are continuously enriched with additional threat context, verified, checked for impact, false positives, and other operational considerations through a series of quality assurance audits. Eager to participate in threat hunting activities and craft your own detection content? Join our Threat Bounty Program!

Go to Platform Join Threat Bounty

Name	Descripiton
PHPSESSID	Preserves user session state across page requests. Cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is normally a random generated number, how it is used can be specific to the site, but a good example is maintaining a logged-in status for a user between pages.
sp_i	Used to store information about authenticated User.
sp_r	Used to store information about authenticated User.
sp_a	Used to store information about authenticated User.

Name	Descripiton
tuuid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
tuuid_last_update	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
um	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
umeh	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
na_sc_x	Used by the social sharing platform AddThis to keep a record of parts of the site that has been visited in order to recommend other parts of the site.
APID	Collects anonymous data related to the user's visits to the website.
IDSYNC	Collects anonymous data related to the user's visits to the website.
_cc_aud	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_cc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_dc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_id	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
dpm	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
acs	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
clid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
KRTBCOOKIE_#	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PUBMDCID	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PugT	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
ssi	Registers a unique ID that identifies a returning user's device. The ID is used for targeted ads.
_tmid	Registers a unique ID that identifies the user's device upon return visits. The ID is used to target ads in video clips.
wam-sync	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
wui	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
AFFICHE_W	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
B	Collects anonymous data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The registered data is used to categorise the users' interest and demographical profiles with the purpose of customising the website content depending on the visitor.
1P_JAR	These cookies are used to gather website statistics, and track conversion rates.
APISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
HSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
NID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SAPISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SIDCC	Security cookie to protect users data from unauthorised access.
SSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
__utmx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.
__utmxx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.

Name	Descripiton
_hjid	Hotjar cookie. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInSample	This cookie is associated with web analytics functionality and services from Hot Jar, a Malta based company. It uniquely identifies a visitor during a single browser session and indicates they are included in an audience sample.
intercom-id-[xxx]	This cookie is used by Intercom as a session so that users can continue a chat as they move through the site.
intercom-session-[xxx]	Used to keeping track of sessions and remember logins and conversations.
demdex	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
CookieConsent	Stores the user's cookie consent state for the current domain.
__cfduid	Used by the content network, Cloudflare, to identify trusted web traffic.
ss	These cookies enable the website to provide enhanced functionality and personalisation . They may be set by us or by third party providers whose services we have added to our pages. These services may include the Live Chat facility, Contact Us form(s), the Product Quotation forms and submission process, and the Email Newsletter sign up functionality .

Name	Descripiton
_ga	This cookie name is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page. Registers a unique ID that is used to generate statistical data on how the visitor uses the website. request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.
_gat	Used by Google Analytics to throttle request rate. This cookie name is associated with Google Universal Analytics, according to documentation it is used to throttle the request rate - limiting the collection of data on high traffic sites. It expires after 10 minutes.
_gid	This cookie name is asssociated with Google Universal Analytics. This appears to be a new cookie and as of Spring 2017 no information is available from Google. It appears to store and update a unique value for each page visited. Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
IDE	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
r/collect	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
test_cookie	Used to check if the user's browser supports cookies.
collect	Used to send data to Google Analytics about the visitor's device and behaviour. Tracks the visitor across devices and marketing channels.
ads/user-lists/#	These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.
c	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
khaos	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
put_#	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpb	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpx	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
tap.php	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.

Threat Detection Marketplace 4.11.0 Is Released

MITRE ATT&CK V9 Support

MITRE ATT&CK® Map: Multi-Language Initiative

Detections View: Detection Engineer’s Role-Based Experience

Log Source Product Filter Improvements