SOC Prime is committed to fostering collective cyber defense based on global threat intelligence, crowdsourcing, zero-trust, and extended by generative AI, enabling organizations to preempt attacks before they strike. One of the key pillars of collective cyber defense is active contribution to open-source projects that sets the ground for global industry collaboration by promoting knowledge sharing and frictionless threat intel exchange among cybersecurity experts.Â
In November 2023, SOC Prime launched its open-source Uncoder IO, acting as an IDE and a content translation engine for Detection Engineers and Threat Hunters. Since the release of the initial Uncoder version in 2018, thousands of security engineers have relied on the online Sigma rule translation engine in their daily security practices, trusting the tool’s 100% privacy principles. For the past five years, SOC Prime has consistently upheld its commitment to privacy, ensuring that no data within Uncoder is shared with any third parties or AI.
The latest Uncoder IO release v1.0.3 beta introduces a set of enhancements and improvements to enrich the stack of supported technologies and improve the quality of content translations contributing to the open-source project adoption and acceleration.
Support for Graylog SIEM
We’re constantly expanding the list of supported language formats to unlock more Detection Engineering capabilities for defenders who have mastered the specific SIEM technology. With this release, Uncoder IO supports Graylog SIEM, enabling the translations of Roota or Sigma rules into the Graylog query format.
Author & License Recognition
Being part of the open-source community entails recognizing and giving credit to all content contributors. The open-source detection code is shared under the Detection Rule License (DRL) or other relevant license. To acknowledge the contribution of each community content developer, the author and license of the source rule are now added as a comment to its translation or the description field if it’s available.
Translation Quality Enhancements
We’re constantly looking for ways to enhance the content quality when translating vendor-agnostic detection algorithms written in the Roota or Sigma open-source languages to various SIEM, EDR, XDR, or Data Lake formats. In the most recent Uncoder IO release, we’ve made a series of improvements to polish the translation quality of detection code. Â
To ensure proper character processing, we’ve added escaping mechanisms for the following list of platforms both as input and output: Splunk, CrowdStrike, Elastic Stack, Falcon LogScale, Microsoft Sentinel, IBM QRadar, Chronicle Security, AWS OpenSearch.
Rootа Translations
To improve the quality of detection code translated from Roota rules, the latest Uncoder IO release includes the following updates:
- Added parsing of Splunk keywords without quotes and fixed known issues with keywords
- Added support for the != operator in Splunk queries and improved the logic of processing other operators
- Improved translation of Roota with a Splunk query into Falcon LogScale by adding quotes to the values in table functions
- Fixed an issue where the same default mapping could be applied for any output language
Sigma Translations
To boost the code quality translated from Sigma to other supported language formats, we’ve introduced the following updates to the Uncoder IO release v1.0.3 beta:
- Fixed an issue with the wrong translation of the level field into some platforms
- Improved parsing of the AND NOT operator
Contribute to Uncoder IO open-source project to help us spread the collective good and make it even more useful for the global cyber defender community. To submit your pull request with your ideas or suggestions for changes, please refer here.
Â