March 2025

  • Published on Apr 14, 2025
Prev Next

💡Note

This article was originally published on March 26, 2025.

Product updates

Lead Drawer UX Enhancements

We’re excited to introduce several improvements to the Lead Drawer for a more efficient and seamless user experience:

  • Persistent actions: Key buttons and drop-downs remain visible regardless of navigation.

  • Streamlined interface: Less relevant information collapses as you scroll, keeping the focus on content.

  • Improved workflow: Expand the Lead Drawer without opening a new tab or experiencing load delays.

These improvements provide more control over filtering, ensuring users can quickly and efficiently find the most relevant information.

Detectors and Data Sources API Improvements

We’ve recently made extensive improvements to our API offering, specifically in the Detectors and Data Sources endpoints:

Detectors API

GET/detectors

The GET Detectors request used to return only Custom detectors, created by users. From now on it will return information for all types of detectors: Hunters detectors, Third-party detectors, and Custom detectors.

For this purpose we’ve added the following parameters to the request:

  • type - Select the type of detector you want to retrieve information about (Hunters / Custom / Third party / All). The default value is Custom.


    Content-Type Restrictions:

    - If type is "Custom", both JSON & YAML formats are allowed.

    - If type includes any other value, only JSON is allowed.

  • source - When retrieving custom detectors, use this parameter to determine whether to retrieve information for custom detectors created using the Hunters UI or using the API Create New Custom Detector request.

The following properties were added to the response:

  • type - the detector’s type (Hunters / Custom / Third party).

  • data_types - The connected data types relevant to this detector.

  • possible_data_types - All possible data types that this detector can work with, including those not currently connected to the system.

  • default_alerts_enabled - Only relevant for Hunters or Third Party detectors. If true, alerts are enabled by default. If false, alerts are disabled by default.

  • default_alerts_confidence_threshold - Only relevant for Hunters or Third Party detectors. The Confidence level from which alerts are created by default.

PUT/detectors/hunters/{detector_id}

This new request allows you to programmatically update an existing Hunters or Third Party detector. The path must include the detector ID of the detector you want to update. Use this request to update one or both of the following parameters of the detector:

  • alerts_enabled - Enables or disables alert generation for this detector. If true, alerts will be created for leads originating from this detector. If false, alerts will not be created for leads originating from this detector.

  • alerts_confidence_threshold - The confidence threshold from which alerts are created.

Data Source API

GET/data-sources

The GET/data-sources response now includes the data flow tags assigned to each data flow in the response.

PUT/data-sources/{dataflow_id}

This new request allows you to programmatically update an existing data flow’s description and/or tags. Use the below parameter to update the data flow:

  • description - Updated data flow description

  • dataTagsIds - List of tag IDs to assign or unassign.

  • operationType - Enter assign to add tags or unassign to remove tags.

GET/data-sources/tags

This new request allows you to retrieve all of the available data flow tags defined in your system. You can use the organization query parameter to return only tags for a specific organization, when working on a multi-tenant account. The response will return the Tag ID, name, and the IDs of data flows that have this tag assigned to them.

Integrations

Cloudflare Zero Trust Network Sessions

Cloudflare Zero Trust Network Sessions provide secure, identity-aware access to internal applications and services without relying on traditional VPNs. Each session is tightly scoped and authenticated using user identity, device posture, and contextual policies, ensuring that only authorized users and devices can access specific resources. By enforcing granular controls and logging every session, Cloudflare strengthens security, reduces attack surface, and improves visibility across your network environment.

The integration includes:

  • Ingestion of the data to the data lake

  • Mapping of the data to IOC Search

  • Mapping to relevant Hunters schemas

Learn more here

Detection

New detectors

🔎 WEL SMB connection from an abnormal process

Detector ID: windows_event_abnormal_smb_connection

In Windows environments, legitimate SMB traffic typically originates from the system process (PID 4). When user-level or non-system processes initiate SMB connections over port 445, it may signal suspicious activity such as lateral movement, port scanning, or exploitation attempts.

This detector identifies SMB connections initiated by processes other than the system process. It leverages Windows Filtering Platform events and enriches the context using process creation logs to highlight potentially unauthorized behavior. It is important to note that this detector relies on event 5156 from the windows event log that is not being logged by default.

🔎 Addition of a user to Local Administrators group

Detector ID: windows_event_user_added_to_local_admins

Adding a user to the local administrators group significantly increases their control over an endpoint. While this can be part of legitimate IT operations, it’s also a common tactic used by attackers to maintain persistence and escalate privileges within an environment.

This detector leverages Windows Event Log 4732 to identify when a user is added to the local administrators group on a domain-joined system. Such actions may indicate an attempt to establish long-term access or regain control after the compromise of other privileged accounts.

🔎 Unusual Token Type Request by an Azure Managed Identity

Detector ID: azure_managed_identity_signin_unusual_token_type_requested

Azure Managed Identities typically request access tokens for a narrow, predictable set of services—such as ARM, Microsoft Graph, or Key Vault—based on their assigned tasks. A sudden deviation from this pattern may signal potential compromise or misuse.

This detector flags instances where a managed identity requests a token type it hasn’t previously accessed (or hasn't in a long time), indicating anomalous behavior. Such deviations could suggest that the identity is being leveraged for unauthorized access or reconnaissance activities.

This is part of our broader effort to enhance detection around Azure Managed Identity abuse.

Deprecated detectors

🔎 New device scanned by a public scanner

Detector ID: edr_new_device_scanned_by_public_scanners

On March 27, 2025, we will disable the "New device scanned by a public scanner" detector. After a long period of inactivity, we investigated its usefulness and concluded that this particular use case is relatively low-value. To keep our detection capabilities focused and efficient, we’ve decided to retire this detector.