January 2025 (2)

  • Published on Feb 28, 2025
Prev Next

💡Note

This article was originally published on January 31, 2025.

Product updates

Third-Party Lead Creation Limits

Hunters has introduced a daily limit on the number of third-party leads created per detector. Each third-party detector is now limited to generating 100,000 leads per day. This enhancement is designed to prevent spammy detectors from flooding the system with excessive leads, ensuring the platform remains efficient and focused on actionable insights. This change improves system reliability and helps maintain a clear and manageable lead queue for our users.

Learn more about service limits.

Integrations

Netskope V2

As Netskope sunsets its REST API V1 and transitions to V2, we have updated the Netskope integration to align with the new REST API V2 requirements and structure. This update introduces two new third-party detectors, enabling Netskope findings to be ingested as leads into Hunters.

To ensure your Netskope V2 is properly connected to your Hunters platform, follow these steps:

  1. Regenerate your Netskope API token as a V2 token.

  2. Edit the connection settings on Hunters to reflect the new token.

The integration includes:

  • Ingestion of the data to the data lake

  • Mapping to relevant Hunters schemas

  • Mapping of the data to IOC Search

  • 2 new 3rd-party detections:

    • Netskope Audit Events

    • Netskope Application Events

Learn more here

Detection

New techniques

We have added Mitre techniques to 32 of our Out-of-the-Box (OOTB) detectors. This update enhances Hunters' Threat Coverage and provides you with a more comprehensive MITRE Matrix view. Additionally, it helps us identify coverage gaps and prioritize new detections effectively.

New detectors

🔎 Unusual EC2 Access and password enumeration

Detector ID: aws_unusual_amount_of_ec2_access

Attackers may execute multiple connections to EC2 instances within a short timeframe to facilitate lateral movement or reconnaissance activities. This behavior often includes unauthorized access attempts to other instances and efforts to gather credentials. Multiple rapid connections to EC2 instances, particularly from unexpected sources or unauthorized accounts, can signal a potential security breach.

The detection logic identifies suspicious behavior where a single user ARN connects to or accesses at least five EC2 instances within a one-hour period using the following API calls: GetPasswordData, SendCommand, SendSSHPublicKey, and StartSession. This detector analyzes activity patterns and highlights anomalies effectively.

This update enhances your ability to identify and respond to potential threats targeting EC2 instances.