💡Note
This article was originally published on February 28, 2025.
Product updates
Improved Filtering for Data Sources and Data Types
We've enhanced the Data Source filter across the Leads page, Stories page, and SOC Queue to provide more accurate and relevant results. Previously, filtering by data source could include peripheral data sources, leading to unexpected results. To improve the user experience, we've made the following changes, which will take effect on March 9, 2025 and will provide a uniform experience on the different pages:
Leads Page, SOC Queue, and Detectors Page: These pages will include a Data Source filter that will return results only for the selected data source, and a new Data Type filter that will allow you to refine results based on specific data types.
Stories Page: The Data Source filter has been renamed Data Type and will now return results only for the selected data types.
API Enhancement: A new Data Type parameter has been added to our API, allowing users to filter results based on specific data types. This works alongside the existing Data Sources parameter for more precise data retrieval.
❗Action required
The above-mentioned changes will affect saved SOC Queue tabs using the Data Source filter. To make sure your tabs show the filter values properly after March 9th, open the relevant tabs and reselect the data sources under the Data Source filter.
These improvements provide more control over filtering, ensuring users can quickly and efficiently find the most relevant information.
Integrations
Normalyze
Normalyze is a data security platform that helps organizations discover, classify, and protect sensitive data across cloud environments. It provides visibility into data assets, identifies security risks, and ensures compliance with industry regulations. Using automated scanning and AI-driven analysis, Normalyze detects misconfigurations, unauthorized access, and potential data exposures. It enables security teams to enforce data protection policies, prevent breaches, and maintain a strong security posture across multi-cloud infrastructures.
The integration includes:
Ingestion of the data to the data lake
Mapping of the data to IOC Search
Learn more here
Lookout
Lookout is a cloud security platform that protects mobile devices, endpoints, and cloud applications from cyber threats and data breaches. It provides real-time threat detection, phishing protection, and data loss prevention by analyzing user behavior and device activity. Lookout secures organizations against mobile malware, unauthorized access, and compliance risks, helping businesses protect sensitive data across remote and hybrid work environments.
The integration includes:
Ingestion of the data to the data lake
Mapping of the data to IOC Search
Learn more here
NGINX
NGINX is a high-performance web server, reverse proxy, and load balancer designed for handling large volumes of traffic efficiently. It is widely used to serve static content, manage API traffic, and optimize application delivery. NGINX improves website performance with features like caching, compression, and SSL termination while enhancing security by mitigating DDoS attacks and unauthorized access. Its scalability and flexibility make it a popular choice for modern web applications and cloud environments.
The integration includes:
Ingestion of the data to the data lake
Mapping of the data to IOC Search
Learn more here
Cloudflare
Cloudflare acts as an intermediary between a client and a server, using a reverse proxy to mirror and cache websites. By storing web content for delivery on the closest edge server, it is able to optimize loading times. That also allows it to modify content, such as images and rich text, for better performance.
Cloudflare Access Requests
Cloudflare Access Requests logs capture authentication and authorization events for applications protected by Cloudflare Access. These logs include details such as user identity, access method, request timestamps, and policy decisions (granted or denied). They help organizations monitor access attempts, enforce security policies, and audit user activity for compliance.
The integration includes:
Ingestion of the data to the data lake
Mapping of the data to IOC Search
Cloudflare Audit Logs
Cloudflare Audit Logs record administrative actions taken within a Cloudflare account, including configuration changes, user management updates, and security policy modifications. These logs provide visibility into who made changes, what actions were performed, and when they occurred, helping organizations track activity, enforce compliance, and investigate security incidents.
The integration includes:
Ingestion of the data to the data lake
Mapping of the data to IOC Search
Cloudflare Gateway HTTP Requests
Cloudflare Gateway HTTP Requests logs capture detailed information about web traffic passing through Cloudflare’s secure web gateway. These logs include request URLs, methods, response codes, user identities, threat detections, and policy enforcement actions. They help organizations monitor and control web access, detect malicious activity, and enforce security policies.
The integration includes:
Ingestion of the data to the data lake
Mapping to relevant Hunters schemas
Mapping of the data to IOC Search
Learn more here
Detection
Detection improvements
Asset Tagging for Azure Managed Identities
We’re excited to introduce a new Asset Tagging feature for Azure Managed Identities, aimed at improving visibility and tracking of Azure service principals of type Managed Identity. This tagging is based on two key sources:
Creation Events: We track “Add service principal” events from the Azure Audit Logs with specific parameters that identify Managed Identities.
Activity Events: We monitor various operations performed over Azure resources, as logged in the Azure Activity Logs, using parameters that indicate the operation was initiated by a Managed Identity.
Additionally, the tagging will specify the type of Managed Identity, distinguishing between User-Assigned Managed Identity (UAMI) and System-Assigned Managed Identity (SAMI).
Source and Enrichment Improvements
We’ve recently made key improvements to enhance coverage for Managed Identities alongside traditional service principals and user activities:
Azure Sign-in Event Source: We’ve added critical data points, including:
Azure Sign-in Category: To distinguish Managed Identities in Entra ID.
Unique Token Identifier: To help correlate sign-ins with session activities.
Resource ID: Identifies the token type, useful for detectors like Microsoft Graph or Azure Key Vault.
Additional attributes like token protection status and cross-tenant access type to assess potential impact.
These additions also enhance context for non-MI-related leads.
azure_get_past_signin_ips_by_service_principalenrichment: This enrichment now properly handles Managed Identities by adjusting its logic to fetch and display relevant data. It’s designed to accommodate future improvements from Microsoft, particularly around including source IP addresses for Managed Identity sign-ins, which are currently not provided.
New detectors
🔎 Excessive Requests for Distinct Token Types by Azure Managed Identity
Detector ID: azure_managed_identity_mass_token_types_requested
When an attacker gains access to a Managed Identity (MI) access token, they can exploit a wide range of Azure services and resources. Once a threat actor gains access to a resource with an attached MI, their next logical step is to assess the identity’s permissions. In many cases, this involves requesting different types of tokens, decoding them to examine their scopes, or simply attempting to use them for unauthorized activities.
This detector identifies multiple token types that were requested by a specific managed identity within a short timeframe, potentially indicating reconnaissance or abuse of the managed identity’s accessible permissions by a threat actor.
Deprecated detectors
🔎 Update of application's certificates and secrets management
Detector ID: azure_applications_secrets_update
On March 1st, 2025, we will disable the "Update of application's certificates and secrets management" detector. Our analysis found that this detector closely overlaps with another existing detector, "Addition of new credentials to a service principal on Azure Active Directory" (`azure_credentials_added_to_service_principal`).
Since the latter is better tuned and provides more accurate detections, keeping both detectors active results in unnecessary duplicate leads. Disabling azure_applications_secrets_update will improve efficiency and reduce noise in alerting.