What Changed
Version 3.0.1 of the SOC Prime CCF solution adds three new Analytic Rules for detecting security-relevant administrative activities and suspicious authentication events within the SOC Prime platform.
Detection Logic
The new rules query the SOCPrimeAuditLogs_CL table:
SOC Prime Deleted Custom Field Mapping Profile:
- Detects deletion of Custom Field Mapping profiles (EventName == “Deleted a Custom Field Mapping profile”)
- Maps to MITRE T1562.001 (Disable or Modify Tools)
- Medium severity with Defense Evasion tactic
SOC Prime Deleted Tenant:
- Detects tenant deletion events (EventName == “Deleted a Tenant”)
- Maps to MITRE T1562.001 (Disable or Modify Tools)
- Medium severity with Defense Evasion tactic
Successful Logins from Bad IP Addresses:
- Cross-references successful logins against a blacklist watchlist of malicious IPs
- Maps to MITRE T1078 (Valid Accounts)
- Medium severity with Initial Access tactic
- Uses _GetWatchlist(‘blacklistOfIps’) to identify known malicious source IPs
MITRE Mapping
- T1078 (Valid Accounts): Login detection from known malicious IPs
- T1562.001 (Impair Defenses: Disable or Modify Tools): Administrative deletion events that could impact security monitoring capabilities
All rules include entity mappings for Account (UserName) and IP (SourceIp) to enable enrichment and correlation with other security events.
Affected Files
.script/tests/KqlvalidationsTests/CustomTables/SOCPrimeAuditLogs_CL.json
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Solutions/SOC Prime CCF/Analytic Rules/SOCPrimeDeletedCustomFieldMappingProfile.yaml
Solutions/SOC Prime CCF/Analytic Rules/SOCPrimeDeletedTenant.yaml
Solutions/SOC Prime CCF/Analytic Rules/SuccessLoginFromBadIp.yaml
Solutions/SOC Prime CCF/Data Connectors/SOCPrime_ccp/SOCPrime_DataConnectorDefinition.json
(packaging artefacts: 3.0.1.zip, ReleaseNotes.md, Solution_SOCPrimeAuditLogs.json, createUiDefinition.json, mainTemplate.json)