December 2024

  • Published on Jan 13, 2025
Prev Next

Note

This article was originally published on December 18, 2024.

Product update

Entities and Automatic Investigation for Custom Detectors

Starting in December we will gradually roll out support of Entities and corresponding Automatic Investigation for some custom detectors. This capability is meant to significantly improve investigation capabilities and data completeness for custom detectors.

Over the next few weeks, most custom detectors built on top of Hunters' event sources (from the UI or API) will start including Entities.

We’re continuing to work on this area to ensure custom detectors provide full context for successful triage and investigation.

Feel free to contact Hunters Support if you have any questions or requests.

Integrations

StrongDM

StrongDM is a Zero Trust Privileged Access Management (PAM) platform that extends the capabilities of traditional privileged access management to support all modern infrastructure, including databases, servers, Kubernetes clusters, clouds, and web applications. StrongDM combines authentication, authorization, networking, and observability into a single platform, providing secure and auditable access for the precise amount of time that access is needed.

The new integration includes:

  • 2 supported logs -

    • strongDM Activity Logs

    • strongDM Query Logs

  • Ingestion of the data to the data lake

  • Mapping the data to IOC Search

  • Mapping to the Hunters Login Schema

Learn more here

Microsoft Graph API

The Microsoft Graph API provides a single endpoint to access data and interact with Microsoft 365 services like Azure Active Directory, Teams, Outlook, and OneDrive. It uses RESTful calls to manage resources such as users, groups, messages, and files. The API simplifies integration with Microsoft services, enabling developers to build applications that work across the Microsoft ecosystem.

The new integration includes:

  • Ingestion of the data to the data lake

  • Mapping the data to IOC Search

  • Mapping to the Hunters Web Requests Schema

Learn more here

⚠️ Note

In the next few months, the CrowdStrike Detections data type (crowdstrike_detects) will be deprecated, following API changes in CrowdStrike. To avoid inconveniences, connect CrowdStrike Falcon Event Stream (crowdstrike-falcon-event-streams).

CrowdStrike Falcon Event Streams

CrowdStrike Falcon Event Streams provide real-time access to rich telemetry data from endpoints protected by the Falcon platform. These event streams allow organizations to monitor and analyze security events, such as process execution, network connections, and file activities, as they happen. By leveraging this data, security teams can build custom integrations, enhance threat detection capabilities, and automate responses to potential threats.

The new integration includes:

  • Ingestion of the data to the data lake

  • Mapping the data to IOC Search

  • Mapping to the Hunters Login Schema

  • Third-party alerts

Learn more here

HPE Aruba Networking

HPE Aruba ClearPass alerts notify administrators of security events and policy violations within the network. These alerts provide critical information about unauthorized access attempts, suspicious activity, or endpoint compliance issues, enabling swift action to mitigate risks. They can be configured to trigger automated responses or integrate with third-party security tools for enhanced incident management.

The new integration includes:

  • Ingestion of the data to the data lake

  • Mapping the data to IOC Search

  • Mapping to the Hunters Login Schema

Learn more here

Detection

Modified detectors

🔎 Azure AD sign-in marked as risky by Microsoft

Detector ID: azure_risky_signin

This third-party detector generated massive amounts of leads, all added to the SOC Queue. This caused an overload on SOC team members requiring triage. Furthermore, the detector doesn’t reflect a low confidence for risky sign-ins that were followed by remediation events.

We’ve adjusted the detector logic as follows:

  • Simplified the detector to filter on atRisk and confirmedCompromised events only. That would calibrate the coverage on risky sign-in attempts while reducing the overall noise by 50%.

  • Exposed the client_os and device_trust_type fields to provide more context and facilitate the triage process. The latter is very useful since it indicates whether the device is managed or not.

  • Added a new enrichment that presents all remediated sign-in attempts (per user and correlation ID) that occurred up to 90 minutes after the risky sign-in attempt.

  • Applied improved scoring models to reduce confidence to a minimum if a remediated sign-in event was seen after a risky sign-in event.

  • Adjusted the SOC Queue alert threshold.

Overall, these improvements will reduce the number of alerts in the SOC Queue from this detector by 85%.

🔎 PowerShell outgoing connection with new commandline

Detector ID: edr_powershell_outgoing_connection

During routine work, we’ve identified an opportunity to enhance the detector accuracy and scoring.

We’ve adjusted the detector logic as follows:

  • Noise reduction: The learning key was volatile and affected by UUIDs, username folders, and different product versions. We’ve created a normalized version of it that is less volatile and hence the learning is more effective.


    Overall, this step decreases noise by 80%.

  • Scoring: Scoring layers and threat intel feed scoring were optimized.