socprime.com
Open in
urlscan Pro
3.126.73.248
Public Scan
Submitted URL: http://socprime.com/
Effective URL: https://socprime.com/
Submission: On August 16 via manual from UZ — Scanned from DE
Effective URL: https://socprime.com/
Submission: On August 16 via manual from UZ — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
You need to enable JavaScript to run this app.
Why SOC Prime?
Why SOC Prime?
Transforming Threat Detection
Roota
Open-Source Language for Collective Cyber Defense
Sigma
History of Sigma Evolution
Industry Expertise
Center of Excellence for Microsoft Sentinel
Center of Excellence for Amazon Web Services
Center of Excellence for MDR Partners
Splunk Migration & Support
Platform
Threat Detection Marketplace
Your Home for Threat Detection
Attack Detective
Industry-First SaaS for Advanced Threat Hunting
Uncoder AI
Single IDE for Detection Engineering
Use Cases
SIEM Migration
Community
Community
One live community for collective cyber defenders
Threat Bounty
Monetize your Threat Detection content
Partner Programs for Universities
Sigma & MITRE ATT&CK® Education
Resources
Blog
Research, guides, interviews
News
Headlines in cyberspace
Events
Stay tuned to our cybersecurity events
SOC Use Cases
Dashboards, rules, parsers, ML
Integrations
Work together for a safer cyber future
Customer Success Stories
Learn how global organizations trust SOC Prime
Detection as Code
Explore our latest innovation reports
Tools
Uncoder.IO
The Prime Hunt browser extension:
Chrome
Firefox
Edge
Company
About Us
Our story and mission
Industry Recognition
Verified value for cybersecurity
Leadership
SOC Prime's leadership team
Careers
Job opportunities at SOC Prime
Privacy
SOC Prime’s privacy-centric mindset
SOC 2 Type II Compliance
Benchmark for security compliance
Pricing
REQUEST A DEMO
COMMUNITYDRIVEN AIFOR CYBER DEFENDERS
Powered by Backed by Trusted by
Engage With Us
*
*
*
*
*
*
RAPIDS
Open-source Data Science at the speed of thought, by nVidia
Learn more
AWS
World’s fastest and leading cloud
Learn more
MITRE ATT&CK
The periodic table of cyber security
Learn more
OpenSearch
Scalable, open-source way for data-intensive applications
Learn more
MITRE TRAM
Open-source machine learning for threat intelligence mapping
Learn more
Roota
Open source universal language for all cyber defenders
Learn more
Sigma
Open source threat hunting queries for security pros
Learn more
Uncoder AI
IDE for Detection Engineering
Learn more
SIGMA RULES SEARCH ENGINE
KNOW ALL ABOUT CYBER ATTACKS, ACT BEFORE THEY HIT
Sigma Rules
MITRE ATT&CK®
CVE
Ransomware
Log Sources
SEARCH
Trending
ransomware
cve-2022-41352
kibana
uac-0050
cve-2024-21413
infoblox
apt37
firewall
dark
active directory
Latest content updates
CONNECTING
45,000+
Users
600+
Threat researchers
9,000+
Organizations
TRUSTED BY
42%
Fortune 100
30%
Global 500
21%
Global 2000
>_Community DrivenAI[for]CyberDefenders
Request a Demo
Stay Ahead of the Curve
ONE LIVE COMMUNITY FOR COLLECTIVE CYBER DEFENDERS
Join on Discord >
World's top 5 consumer goods company, Fortune 500
3rd largest solid waste management company in the USA, Global 2000
Leading Enterprise System Integrator and Solution Provider
Member of the Big Four, Fortune 500
Case Study
Global technology consulting and digital solutions company
Case Study
America's leading satellite television provider, Fortune 500
Largest telecom provider in the UK, Fortune 500, Global 2000
Leading ICT Integrator, listed on the Italian Stock Exchange
Case Study
Top MDR in Europe, US & Asia, Trusted Introducer member
Case Study
Top South Korean MSSP, MISA member, Part of ST Telemedia Cloud
BNP Paribas Group subsidiary, one of the largest Ukrainian banks
Case Study
STAY AHEAD OF THE CURVE
How do the world’s largest brands and mission-critical organizations overcome
the challenges of threat complexity & the cybersecurity talent shortage? They
make security operations Sigma-enabled, future-proof the team’s hard skills, and
break through dependency on the SIEM & EDR tech stack while taking its cost
efficiency to the limit. Sounds like a dream come true? Read on for the full
story on the future of Collective Cyber Defense.
Learn moreTALK WITH SALES
BACKED BY
We believe that our investors reflect and share our team’s core values, a
commitment to a better, safer cyber world, through technology, innovation,
diversity and privacy. Together, we are building an Open Core company, with an
international community at its heart.
Atlantic Bridge is a Growth Equity Firm with a Cross Border Value Add strategy.
Our team is made up of successful entrepreneurs and senior technology industry
executives and we invest in strong ambitious entrepreneurs and management teams
that have the passion and drive to scale up and exploit major growth
opportunities. https://abven.com/
J-Ventures is a community-driven global venture capital fund of top investors,
executives, and founders. Based in Silicon Valley, we operate as a collaborative
community of leaders with shared values and a strong network of connected
capital. https://www.j-ventures.com/
DNX Ventures is an early stage VC firm focusing on B2B Startups . We partner
with teams that are shaping industries and transforming the way we live and
work. We invest in startups solving the biggest challenges for enterprise
companies within SaaS/Cloud, Cybersecurity, Deeptech, Sustainability, Hardware,
Retail, Finance sectors, and more. https://www.dnx.vc/
Streamlined VC is passionate about working with visionary founders to help them
create exceptional companies and help them capture as much of that value for
themselves as possible – they deserve it! If we stay true to our beliefs and are
good at what we do, then we will benefit too.
https://www.streamlined.vc/philosophy
Rembrandt Venture Partners bring an operational perspective to their
investments, recognizing that growth is not without significant challenges and
building businesses is hard. The RVP team brings over 30 years of "C-Level"
operating experience and over 60 years of venture capital investing experience.
https://rembrandtvc.com/
* SOC ANALYSTS
Struggling with a never-ending stream of alerts and limited time to
investigate them? Still pivoting between dozens of tools to manually generate
alert context? Join our community to triage alerts faster while improving
precision, easily find complete context in one place, access peer reviews of
alert logic, chat live in the community Discord channels with experts on
every SIEM and EDR, and train on new skills to grow your career faster.
* THREAT HUNTERS
Low caffeine level, procrastination, and uncertainty on where to start your
hypothesis validation? Tap into over 11,000 ideas of prepared, tested and
MITRE ATT&CK tagged threat hunting queries for most common SIEMs and EDRs,
ready to be used, tuned, and improved. So that you can find evil and finish
that report on time. Drink coffee together in good company. Worldwide.
Online.
* DETECTION ENGINEERS
Which logging pipeline do we optimize first? Do we have data and rules to
detect the latest CVE exploitation or confirm no IOC matches with confidence?
Deploy detection rules to production faster by building on the research that
was already done and coded into Sigma rules. Customize filters and optimize
performance for any SIEM backend, by boosting your unique expertise with
better tools. Solve the most complex detection engineering tasks together.
* SOC & IR MANAGERS
Your SOC Analysts are too slow with alert triage and SOAR did not fix it.
Meanwhile, Threat Hunters are always "in process" while tasks are “in
progress”. Detection Engineers cannot implement your logging plan because the
scope changes every month and always ask to increase SIEM capacity. To win
time, you regularly end up with manually crafting metrics reports for CISO.
Implement a revolutionary change to the process by making detection and
response Sigma-enabled and aligned with MITRE ATT&CK. To win time, you
regularly end up with manually crafting metrics reports for your CISO.
Improve your MTTD & MTTR, just like your peers have been doing since 2018.
Speak with us
* CISOS
Threat Actors do sleep and take rest, and you deserve your weekends too. Win
battles with the team and tools you have, not the ones you read about in
vendor marketing materials. Together, we can implement the strategy for
Collective Cyber Defense to overcome any threat. Let's talk
* SOC Analysts
* Threat Hunters
* Detection Engineers
* SOC & IR Managers
* CISOs
CODE YOUR FUTURE CV
Let your threat research speak for you. We're all too busy with our daily work
to do test tasks for job applications, and yet it is impossible to test the hard
skills of a cyber defender without performing practical tasks. Let your Sigma
and ATT&CK knowledge translate into your CV. The one that your peers welcome,
understand, and accept. Hard skills make you a professional, soft skills make a
great team.
Join Threat Bounty >
* Content View
Author View
* Content View
Author View
* Content View
Author View
* Content View
Author View
* Windows
* Exploit
* Azure
* Linux
#1 THREAT DETECTION MARKETPLACE
Defending over 155 countries, with top rules getting 1,500+ unique downloads,
this is the way since 2015. Named "Spotify for Cyber Threats" by TechCrunch and
backed for $11.5 million lead by one of the most recognizable Silicon Valley
funds, DNX Ventures (Cylance, ICEYE). Three mentions by Gartner as a Cool Vendor
for 2H 2019 and 2020 & 2021 SIEM Magic Quadrants.
SIGN UP NOW
SHARED EXPERTISE
Imagine the code you wrote helps to detect emerging cyber attacks or prevent a
power grid outage. We partner with private businesses and cyber defense agencies
including NCSC and CERT teams, and provide pro bono consulting to SSSCIP in
Ukraine, to test Sigma rules on the real battlefield. In 2022, we started to
work with leading Ukrainian universities to train students on Sigma and ATT&CK
to bolster the ranks of cyber defenders. This initiative is scaling globally and
your contribution makes a difference.
EARN MONEY
Get bounty for the quality and speed of your work, not for finding bugs. Your
thoughtful threat research takes time and is worth a recurring payout. And
nothing compares to the rush of helping thousands of cyber defenders and for an
extra one-time reward. To keep it easy, bounty is delivered via Stripe and
PayPal.
Earn Money with Threat Bounty >
REVIEWS
* BROADENING YOUR SOC WITH ADDITIONAL SIEM RULES AND DETECTION LOGIC
Apr 17, 2024
My SOC requires additional SIEM rules and detection logic. Our SIEM out of
the box ruleset was not broad enough to meet our requirements. TDM provides
thousands of detections written in Sigma. Some of the content is free and we
bought a Subscription to see the premium content. ...
Read More
INDUSTRY
Government
FIRM SIZE
Gov't/PS/ED <5,000 Employees
ROLE
Operations
* EXCELLENT PRODUCT FOR SIEM MIGRATION AND THREAT HUNTING
Mar 12, 2024
SOC Prime provided exceptional guidance and resources during and after our
SIEM migration.
Read More
INDUSTRY
Banking Industry
FIRM SIZE
30B + USD
ROLE
IT Security and Risk Management
* IF YOU MANAGE A SIEM YOU NEED SOC PRIME
Jul 12, 2023
We use SOC Prime daily and it is the best resource for SIEM rules.
Read More
INDUSTRY
Healthcare and Biotech
FIRM SIZE
500M - 1B USD
ROLE
Engineering - Other
* CYBER THREAT HUNTING
Jul 5, 2023
Support is very good and easy to connect. This is good platform threat
hunters.
Read More
INDUSTRY
IT Services
FIRM SIZE
3B - 10B USD
ROLE
IT
* EXCELLENT VALUE TO SOC ANALYSTS
Jun 21, 2023
Overall SOC Prime has delivered an excellent experience for our SOC analysts.
Read More
INDUSTRY
Energy and Utilities
FIRM SIZE
3B - 10B USD
ROLE
IT Security and Risk Management
* EXCELLENT RESOURCE TO HAVE! TURN AROUND TIME FOR THREAT DETECTIONS IS
IMPRESSIVE
Mar 14, 2022
SOCPrime has been an excellent resource for us to have. The delivery time on
custom detection rules for our tools (especially zero days) has been
outstanding. This is a big deal since threat actors are very quick to adapt
to new vulnerabilities. Our internal secops team can create custom ...
Read More
INDUSTRY
Services (non-Government)
FIRM SIZE
250M - 500M USD
ROLE
Other
* GOOD PRODUCT AND SERVICES
Oct 10, 2020
Good Product and Services, SOC Prime Threat Detection Management always has
up-to-date content for the latest attack tactic and techniques which is
useful for all our customers for detect, prevent and analysis.
Read More
INDUSTRY
IT Services
FIRM SIZE
<50M USD
ROLE
Management / Business Consulting
* SOC PRIME REVIEW FOR A GLOBAL FINANCIAL SERVICES CORPORATION
Sep 10, 2020
SOC Prime has proved to be a very useful purchase for our content development
team over the past year. TDM always has up-to-date content for the latest
attack tactic and techniques. TDM has also enabled our organization to map
our detections to the MITRE ATT&CK framework.
Read More
INDUSTRY
Finance (non-banking)
FIRM SIZE
30B + USD
ROLE
IT Security and Risk Management
* TDM HELP US BEING ON TOP OF NEW CVES
Sep 8, 2020
Experience with TDM has been good so far. It is helping us improve our
monitoring and detection capabilities by providing already built use cases
that would take time for our internal team to develop.
Read More
INDUSTRY
Retail
FIRM SIZE
30B + USD
ROLE
Other
* SOC SERVICE IMPROVEMENTS
Sep 2, 2020
A solution service that made a Security operations live easier, buy the time
investing and knowledge and focus more on the operations and service
improvements, and waste les time.
Read More
INDUSTRY
IT Services
FIRM SIZE
500M - 1B USD
ROLE
IT Security and Risk Management
* A GOOD SUPPORT IN OUR PROJECT OF MIGRATION FROM ONE SIEM TO ANOTHER.
Sep 16, 2020
At organisation, we are in the process of migrating from one SIEM technology
to another one. This was an opportunity to review the use case library and to
develop them following well-known framework such as MITRE ATT&CK. Using
Threat Detection Marketplace helps to quickly identify use cases related to
the technologies to monitor and the tactics, techniques and procedures of the
attackers. TDM helps us to make more effective security monitoring rules, to
port them to the new platform and eventually to reduce the time to prod of
the use cases.
Read More
INDUSTRY
IT Services
FIRM SIZE
<50M USD
ROLE
Other
* EASY TO USE PLATFORM FOR THREAT HUNTERS
Jul 15, 2020
TDM is really easy to use. I like the filtration of content, it's really easy
to find what's needed from the dozens of rules. What is more helpful for us
in day-to-day work - mapping to the MITRE ATT&CK framework that halps in
uncovering the latest threats.
Read More
INDUSTRY
Banking
FIRM SIZE
50M - 250M USD
ROLE
IT Security and Risk Management
* GREAT COMPANY TO WORK WITH
Jul 6, 2020
SOC Prime have worked with us to ensure we are making as much use of the TDM
platform as possible. They have taken multiple feature requests and added
them into their development pipeline.
Read More
INDUSTRY
Finance (non-banking)
FIRM SIZE
<50M USD
ROLE
Other
* REVIEW
Jul 1, 2020
The content is very good and regularly updated and really effective in
detecting advanced threats, it become a crucial part of our day to day
operations
Read More
INDUSTRY
IT Services
FIRM SIZE
50M - 250M USD
ROLE
Management / Business Consulting
* TDM SUCCESS STORY
May 24, 2020
We have been using TDM for 2 years. The company provides a great service,
qualified support and personal approach. Before choosing TDM, we were
actually looking for a solution to cover our security content needs and
improve detection capabilities. TDM has covered these needs and moreover
saved time to our SOC team. For the past year they became even better and
more mature in content quality and quantity. I think they can improve even
more by adding some industry specific content, but still it's a good value
for money anyway.
Read More
INDUSTRY
Consumer Goods
FIRM SIZE
3B - 10B USD
ROLE
IT Security and Risk Management
* GREAT PRODUCT, GREAT EXCLUSIVE CONTENT
Jun 5, 2020
We bought SOC Prime as we were struggling to maintain our rule sets which
putting our company at risk. Since subscribing to the Threat Detection
Marketplace we are able to continuously update our security content without
increasing resources. SOC Prime is now a critical part of our security
infrastructure and increasing the venue from existing SIEM investments.
Read More
INDUSTRY
Telecommunication
FIRM SIZE
Gov't/PS/ED 5,000 - 50,000 Employees
ROLE
IT Security and Risk Management
* GOOD, INNOVATION AND FLEXIBLE COMPANY
May 18, 2020
Aiming to gain the maximum of the Information Security department, the Bank
reached out to SOC Prime for consulting and finally bought a subscription for
the Threat Detection Marketplace, platform for sharing analytical content.
The subscription enabled us to significantly decrease workload of the
department employees for creating the analytical content, and put their
efforts into investigation of the detected incidents. New valid use cases and
detection queries are continuously added to TDM, which gives us an
opportunity to minimize time for detection and mitigation of threats.
Read More
INDUSTRY
Banking
FIRM SIZE
<50M USD
ROLE
General Management
* GREAT CONTENT, NEEDS VERIFICATION AND QA
Apr 16, 2020
The company has very knowledgable staff and the TDM platform provides a
plethora of great threat definitions and IOCs. I think SOC prime could do
better from a QA standpoint as many of the rules don't work out of the box
and require some fine tuning.
Read More
INDUSTRY
Finance (non-banking) Industry
FIRM SIZE
50M - 250M USD
ROLE
IT Security and Risk Management
1 of 18
* 4.9
* Driven by the community feedback and cutting-edge technologies, we bring the
best user experience
* 12
* Our Detection as Code platform receives independent feedback from security
experts worldwide
* 83%
* We support and deliver detection and response capabilities to all industries
across the globe
Transform Your SOC with AI
TRANSFORM YOUR SOC WITH AI
At the core of each threat detection capability lies the combination of timely
data and algorithms to find evil. Since 1999, these challenges are addressed
with Log Analytics and SIEM systems, generating security alerts. Two decades
have passed and most of SIEM tech will help you to deploy hundreds of rules for
alerting, while data lakes and built-in fast search databases will extend this
with support of a few thousand of threat hunting queries. It is with AI, that we
can augment those capabilities to monitor hundreds of thousands of malicious
behavior patterns, anomalies and emerging threats, while avoiding double
taxation on cost, keeping our privacy and data. SOC Prime delivers AI
capabilities to any SOC as SaaS or on premise, as Content.
GREEN & RESPONSIBLE
Moving algorithms is orders of magnitude less compute taxing than moving
terabytes of data. Which is exactly what SOC Prime is doing: we research
emerging threats with help of our community, code detections into rules, queries
and AI models, and deliver them to you, instead of asking for your data,
duplicating it to our cloud or systems. We always train on premise, so that
yours and ours datasets are private and don’t leak to 3rd parties. We will
design the most compute efficient way for detecting all the latest threats at
your organization, so that we can spare those CPU cycles and help the Planet to
carry on.
OPEN CORE
SOC Prime works with a number of open source projects, and contributes feedback
and code back, being an Open Core company. In 2023, we have open sourced Uncoder
AI, our co-pilot for Detecting Engineering, which can be operated air gapped, or
in the cloud, with the latter benefiting from centralization features. Next
plans include integrating Uncoder with MITRE TRAM, an open source Apache 2.0
project for language recognition and CTI analysis. With coming up private AI
models, we are also sharing the code to operate them.
ZERO TRUST ARCHITECTURE
The best way to keep data secret is not to collect it at all. That is why SOC
Prime gives detection algorithms to you and does not ask for any of your
potentially sensitive data back. Here is our SOC 2 Type II report and GDPR
statement to back this claim. We run on Zero Trust Architecture, and put our
trust in partnership with you.
NO BACKCHANNEL
You are in complete control of what feedback you want to share if any at all. We
do not ask for root permissions, VPN access to your environments, or your log
data. If you'd like to give back to the community, you can do so by commenting
on the rule, rating it manually, or via our Discord channel.
BEYOND ENCRYPTION
No logging, IP or host information shared with third parties. AES-256 & TLS 1.2,
Microservice-based architecture, personnel background check, access control,
Amazon AWS hosting. We build the platform exceeding security standards to
protect the very limited personal data we have on you. And you can always invoke
the right to be forgotten, regardless of your location.
Powered by
ONE
FRAMEWORK
PLATFORM
LANGUAGE
UI
FOR ALL CYBER DEFENDERS
POWERED BY
Privacy, transparency, speed and security are at the core of SOC Prime
technology. We use the best tech stack with focus on open source, for the
maximum benefit of our community, while advancing innovation in cybersecurity.
We run Apache 2.0 licensed RAPIDS AI framework for training at our on premise
hardware, which massively helps to accelerate training time, while maintaining
privacy of our dataset and members of our Threat Bounty program. With NVIDIA
backing RAPIDS has maintained a focus on open source development and
collaboration with a broad community of cutting edge data science projects such
as SKLearn.
We have selected AWS as our primary cloud for its speed, scalability and high
availability. All SOC Prime SaaS services run on a private AWS segment, which
coupled with our company’s processes has passed SOC 2 Type II certification
successfully for 4 consecutive years. Some of our products, such as Uncoder and
privately trained AI models are available at AWS as well as on premise and air
gapped use.
In 2024 we have become the world's first Benefactor of ATT&CK. We’ve applied
ATT&CK since its beta, linked it to threat detection rules and queries in 2018,
which helped to establish a massive community and launch a crowdsourcing Threat
Bounty initiative. We view ATT&CK as fundamental to cyber security as the
Periodic table is to physics and chemistry.
Cyber security has to work beyond fast, so to fuel our research and provide our
customers with fastest search speeds for threat hunting we rely on OpenSearch.
And being an Apache 2.0 open source project, it greatly contributes to our own
Open Core company principles.
Threat Report ATT&CK Mapper (TRAM) is an open-source Apache 2.0 platform
designed to reduce cost and increase the effectiveness of integrating ATT&CK
across the CTI community. The platform works out of the box to identify up to 50
common ATT&CK techniques in text documents; it also supports tailoring the model
by annotating additional items and rebuilding the model. We’ve integrated TRAM
with RAPIDS to provide ML & AI capabilities to community, cloud and on premise
use.
Roota is the endgame language for detection algorithm exchange, easy for
newcomers and professionals alike, building up on ideas advocated by Sigma and
taking them further. A public-domain language for collective cyber defense,
created to make threat detection, incident response, and actor attribution
simple. It acts as an open-source wrapper on top of the majority of existing
SIEM, EDR, XDR, and Data Lake query languages. If you have mastered at least one
specific SIEM language, with Roota you can speak them all.
Sigma rules have delivered on the mission of an easy, shareable query language,
geared towards threat hunters and DFIR specialists. We've been leading the Sigma
community since 2017, advocated its mapping to ATT&CK at the very first EU
ATT&CK conference, built Uncoder.IO to provide high quality, enterprise grade
translations of Sigma rules, which we have made open-source under Apache 2.0.
Over 2 million of Sigma rules were downloaded from SOC Prime in 2023 alone, 70%
by our own community.
Uncoder AI is a SaaS counterpart and Augmented Intelligence co-pilot of Uncoder
IO, leveraged by the global cyber defender community since 2018 as an
industry-first open-source IDE for Detection Engineering.
MITRE ATT&CK
One framework connecting all your industry peers. Similar to the periodic table
of elements, MITRE ATT&CK is evidence-based, letting you profile, identify, and
compare threat actors, and prioritize your threat detection goals.
Content View
MITRE ATT&CK® View
SOC Prime has been actively leveraging ATT&CK in threat detection practices and
initial cyber attack attribution to facilitate its adoption as the industry
benchmark. SOC Prime invented the whole concept of tagging Sigma rules with
ATT&CK and applied it to the public NotPetya investigation and the first-pass
attribution in 2017. At the very first MITRE ATT&CK EU Community workshop in
2018 in Luxembourg, we solidified the concept into practice with the support of
like-minded cyber defense practitioners.
Sigma and ATT&CK, the two open-source standards, have empowered hundreds of
researchers to describe attackers’ behavior, while SOC Prime Platform made it
easy to discover and analyze adversary TTPs, find blind spots in log source
coverage, address existing gaps, prioritize detection procedures, and share the
TTP context with peers in 45 major SIEM, EDR, and Data Lake detection languages.
START NOW
ATTACK DETECTIVE
Industry-first SaaS for advanced threat hunting. Validate detection stack in
less than 300 seconds with an automated read-only MITRE ATT&CK® data audit, gain
real-time attack surface visibility, investigate existing risks matching custom
threat hunting scenarios, and prioritize detection procedures to find breaches
before adversaries have a chance to attack.
GET STARTED WITH ATTACK DETECTIVELEARN MORE
UNCODER
Spending precious time managing multiple stacks? With Uncoder.IO backed by Sigma
and Roota, an open-source language for collective cyber defense, you can
seamlessly speak the language of any technology. No matter how many tools you
use, our open-source IDE for Detection Engineering lets anyone convert detection
code to multiple SIEM, EDR, XDR, and Data Lake technologies on the fly. No
registration, no limits, full privacy.
Get started with Uncoder IO >Contribute via GitHub >
An open-source language for collective cyber defense. RootA is a public-domain
language for collective cyber defense to make threat detection, incident
response, and actor attribution simple. With Roota acting as a wrapper, cyber
defenders can take a native rule or query and augment it with metadata to
automatically translate the detection code into any SIEM, EDR, XDR, and Data
Lake languages. And if you have mastered a specific cybersecurity language, with
RootA and Uncoder IO, you can speak them all.
LEARN MORECONTRIBUTE VIA GITHUB
RootaSigmaIOCs
name: Possible Credential Dumping Using Comsvcs.dll (via cmdline)
details: Adversaries can use built-in library comsvcs.dll to dump credentials
on a compromised host.
author: SOC Prime Team
severity: high
type: query
class: behaviour
date: 2020-05-24
mitre-attack: t1003.001
timeline:
2022-04-01 - 2022-08-08: Bumblebee
2022-07-27: KNOTWEED
2022-12-04: UAC-0082, CERT-UA#4435
logsource:
product: Windows # Sigma or OCSF product
log_name: Security # OCSF log name
class_name: Process Activity # OCSF class
#category: # Sigma category
#service: # Sigma service
audit:
source: Windows Security Event Log
enable: Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process
detection:
language: splunk-spl-query
body: index=* ((((process="*comsvcs*") AND (process="*MiniDump*")) OR ((process="*comsvcs*") AND (process="*#24*"))) OR ((process="*comsvcs*") AND (process="*full*")))
references:
- https://badoption.eu/blog/2023/06/21/dumpit.html
tags: Bumblebee, UAC-0082, CERT-UA#4435, KNOTWEED, Comsvcs, cir_ttps, ContentlistEndpoint
license: DRL
version: 1
uuid: 151fbb45-0048-497a-95ec-2fa733bb15dc
#correlation: [] # extended format
#response: [] # extended format
SIGMA
One language to describe any adversary TTP and translate it to any detection
code. With Sigma rules, we express threat detection by focusing on behavior and
the algorithm itself, cutting the rope to SIEM & EDR query language.
* SecurityEvent | where EventID == 4688 | where ((ParentProcessName endswith @'\UMWorkerProcess.exe') and ((NewProcessName !endswith @'\wermgr.exe' or NewProcessName !endswith @'\werfault.exe')))
* title: UMWorkerProcess Creating Unusual Child Process (via process_creation)
status: stable
description: Detects UMWorkerProcess.exe creating unexpected processes. Possible related to exploitation of CVE-2021-26857.
author: SOC Prime Team, Microsoft
references:
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857
- https://www.rapid7.com/blog/post/2022/09/29/suspected-post-authentication-zero-day-vulnerabilities-in-microsoft-exchange-server/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- 'UMWorkerProcess.exe'
filter:
Image|endswith:
- 'wermgr.exe'
- 'WerFault.exe'
- 'UMWorkerProcess.exe'
condition: selection and not filter
falsepositives:
- unknown
level: medium
* source="WinEventLog:*" AND ((ParentImage="*\\UMWorkerProcess.exe") AND NOT ((Image="*\\wermgr.exe" OR Image="*\\werfault.exe")))
* SELECT UTF8(payload) from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and ("ParentImage" ilike '%\UMWorkerProcess.exe') and not (("Image" ilike '%\wermgr.exe' or "Image" ilike '%\werfault.exe'))
* ((ParentBaseFileName="*\\UMWorkerProcess.exe") AND NOT ((ImageFileName="*\\wermgr.exe" OR ImageFileName="*\\werfault.exe")))
* (process.parent.executable.text:*\\UMWorkerProcess.exe AND (NOT (process.executable.text:(*\\wermgr.exe OR *\\werfault.exe))))
* SELECT * FROM windows WHERE (process.parent.executable ILIKE "%\\UMWorkerProcess.exe") AND NOT (process.executable ILIKE "%\\wermgr.exe" OR process.executable ILIKE "%\\werfault.exe")
* index = activity AND (rg_functionality = "Microsoft Windows" AND (@sourceprocessname ENDS WITH "\UMWorkerProcess.exe") AND NOT (((@destinationprocessname ENDS WITH "\wermgr.exe" OR @destinationprocessname ENDS WITH "\werfault.exe") OR (@customstring54 ENDS WITH "\wermgr.exe" OR @customstring54 ENDS WITH "\werfault.exe"))))
* Microsoft Sentinel
* Sigma
* Splunk
* QRadar
* CrowdStrike
* Elastic
* Snowflake
* Securonix
* Show more
THE PRIME HUNT
Concentrate on the hunt itself, by breaking through UI limitations. The Prime
Hunt is an open-source browser extension to quickly convert, apply and customize
Sigma rules across the widest stack of SIEM and EDR. A fresh project launched in
October 2022, with plans to embed Uncoder.IO, feedback loops, and anything you
can imagine. Be part of the story, and contribute with a pull request at GitHub.
Contribute via GitHub >
Faster Than Attackers
PROACTIVE CYBER DEFENSE
The world stands on the brink of a global cyber war. Each side is trying to
learn about a new software or configuration flaw so they can have the
first-strike advantage. The side that can weaponize and strike first will have a
clear upper hand. The defenders, in turn, need to understand the risk,
prioritize actions, and then implement a detection and mitigation strategy. The
blue team has the odds stacked against them. To overcome these, we can do one
thing that the attackers cannot - we can defend together and improve our chances
for success.
FASTER THAN ATTACKERS
With MITRE ATT&CK, the global community of cyber defenders retrospectively
describes every common method used in cyber attacks. Meanwhile, the invention of
Sigma rules allowed defenders to describe every used and potentially usable
attack behavior and logic through the detection code. By fusing ATT&CK and
Sigma, we've created a knowledge base that is updated every minute and is
searchable by defenders at sub-second performance. This presents an opportunity
for defenders to learn about threats faster, prioritize in minutes, deploy
detection code in an automated fashion and focus their effort on operations and
preparing mitigation before adversaries have a chance to attack.
SEARCH NOW
MASTER THE TIMELINE
Assembling a threat timeline takes time. That's why we automated it. Complete
threat context is now at your fingertips, including: detection code, threat
intelligence, CVE descriptions, exploit POCs along with mitigation and media
links.
Media
12 Oct 2022
CVE
13 Oct 2022
#threatintel
13 Oct 2022
Exploit
17 Oct 2022
Sigma Rule
21 Oct 2022
24-HOUR THREAT COVERAGE
When detecting critical threats, you have no time to spare. Backed by our
crowdsourcing initiative, we run follow-the-sun detection engineering operations
leaving no chance for emerging threats, exploits, or TTPs to go undetected on
your watch.
HYPERSCALE SIEM MIGRATION
Backed by SOC Prime’s Expertise-as-a-Service and Uncoder AI, you can smoothly
navigate the migration challenges and hyperscale your next-gen SIEM
adoption.Rely on AI SIEM migration to accelerate the transition of your SIEM and
EDR rules and queries.Expand your detection capabilities with Data Lakes.
Streamline the onboarding of MDR services, complementing your existing analytics
setup. Leverage the diverse SOC Prime partner ecosystem to strengthen your
Threat Hunting and Detection Engineering strategies, ensuring rapid scalability
and ongoing SOC efficiency enhancement.
START AI SIEM MIGRATION JOURNEY
SPLUNK MIGRATION & SUPPORT
Maximize your Splunk ROI and accelerate time to value while increasing threat
detection & hunting velocity with SOC Prime’s professional services. Considering
Splunk migration to a new-scale SIEM? Supercharge the migration journey powered
by Uncoder AI to smoothly translate and transition terabytes of data while
saving up to 3 months of time on your migration project.
LEARN MORE
JOIN THE GLOBAL COMMUNITY OF CYBER DEFENDERS
Explore AI capabilities with a free community access and engage in discussions
at our dedicated Discord space. If you’re looking to extend cyber defences of
your organization with AI, threat intelligence and Detection as Code, we’d be
happy to speak.
SIGN UPTALK WITH SALES
Why SOC Prime?
Why SOC Prime?
Roota
Sigma
Platform
Threat Detection Marketplace
Attack Detective
Uncoder AI
Industry Expertise
Center of Excellence for Microsoft Sentinel
Center of Excellence for Amazon Web Services
Center of Excellence for MDR Partners
Splunk Migration & Support
Use Cases
SIEM Migration
Community
Community
Threat Bounty
Partner Programs for Universities
Tools
Uncoder.IO
THE PRIME HUNT FOR:
Chrome
Firefox
Edge
Resources
Blog
News
Events
SOC Use Cases
Integrations
Customer Success Stories
Detection as Code
Company
About Us
Industry Recognition
Leadership
Careers
Privacy
SOC 2 Type II Compliance
Pricing
COOKIE POLICY
PRIVACY POLICY
SOC PRIME PLATFORM TERMS OF SERVICE
PRIVACY FAQ
LEGAL NOTICE (IMPRESSUM)
FOLLOW US
SOC Prime, SOC Prime Logo and Threat Detection Marketplace are registered
trademarks of SOC Prime, Inc. All other trademarks are the property of their
respective owners.
This website uses cookies (small text files that the web browser saves on the
user's device). This is done to improve your experience while browsing the
website, analyze traffic statistically, and tailor website content to your
individual needs. It also allows us to improve the overall experience of the
website. These cookies will only be stored in your browser with your consent.
However, if you wish, you can refuse these cookies in your browser settings at
any time. But opting out of some of these cookies may have a negative impact on
your browsing experience. More information can be found in our Cookie Policy and
for a detailed list of the cookies we use, see our Cookie Settings.
Cookie SettingsAccept and Close