October 2023

  • Updated on May 29, 2024
  • Published on Oct 5, 2023
Prev Next

Product updates

Custom Detectors API in a Detection-as-Code methodology

Hunters is introducing new API capabilities that will allow you to manage and customize detectors using API, and embrace a detection-as-code approach. This will make detection management and customization fast, simple, and easy to scale.

This new offering is based on the new proprietary Hunters Detection Language, inspired by the Sigma language, together with a comprehensive list of API endpoints. The new endpoints will allow you to list all custom detectors, create a new custom detector, update an existing custom detector, delete a custom detector, test a new custom detector, dry run a custom detector, and perform all of these actions in bulk.

Note that this API is relevant only to custom detectors.

Resources:

Asset tagging API

A new API capability, asset tagging API, will allow you to leverage robust business context at scale by programmatically tagging assets in bulk. Asset tagging API allows you to create and maintain asset tags and identifying rules to automatically tag assets and provide business context to the involved entities.

The available capabilities are similar to the asset tagging UI functionality and include adding and deleting asset tags, adding and deleting identifying rules, and more.

Resources:

Additions to GET /leads API

You can now request a list of all leads that transitioned to a specific investigation state within a specific timeframe. The investigation state filters enable you to pull leads and alerts that have already been enriched with all relevant data, ensuring accurate prioritization and mega-entity correlation. You can query for leads that transitioned to the “Completed” state to avoid pulling alerts where the investigation is still in progress. This is particularly useful for verifying prioritization accuracy and ensuring that alerts with lower risk, which will be completed later, are not mistakenly considered as ongoing.

Additionally, you can leverage the initial investigation state for leads enriched with initial investigation results, allowing for faster action while acknowledging the risk of incomplete data as the lead is still in the process of the automatic investigation.

This can be achieved by using the following parameters:

  • updated_since and updated_until - Used together to create a timeframe in which the leads’ investigation status changed into the status specified in investigation_state.
  • investigation_state - Used to specify the investigation state of leads in the timeframe created with the above fields.

Filter requests by organization code

📅 Available October 9

The new org_code parameter, added to all endpoints, allows you to return results for specific organizations using the organization code. Until now, Hunters API offered the organization parameter to filter results based on organizations. Now, you can also achieve this goal using the organization code provided to you by Hunters Support upon tenant provisioning.

More information in the Detectors Report

We’ve expanded the information provided when downloading the Detectors csv report (Knowledge Center > Analytics > Export Analytics Settings).

To promote transparency and allow more visibility into each detector’s settings, we’ve made the following changes to the csv columns:

Alert Settings columns:

  • Default Alerts Enabled - signifies whether this detector can generate alerts, according to Hunters default alert settings.
  • Default Confidence Threshold - signifies from which confidence level this detector can generate alerts, according to Hunters default alert settings.
  • Customer Alerts Enabled - signifies whether this detector can generate alerts, according to the customer’s alert settings override. This takes precedence over the Hunters default alert settings.
  • Customer Alerts Threshold - signifies whether this detector can generate alerts, according to the customer’s alert settings override. This takes precedence over the Hunters default alert settings.
  • Final Alerts Enabled - indicates the final status of the alert settings (taken from customer settings if available, else from Hunters default alert settings).
  • Final Alerts Threshold - indicates the final confidence threshold of the alert settings (taken from customer settings if available, else from Hunters default alert settings).

Data Sources columns:
Possible Data Source(s) - exposes which data sources this detector can run on.
Active Data Source(s) - exposes which data sources (which are currently connected to the customer environment) this detector can run on.

Identifier columns:

  • ID - the internal ID of the detector.
  • Open API ID - the external ID of the detector (relevant for custom detectors API management).

Integrations

Prisma SaaS

Prisma SaaS, from Palo Alto’s Prisma suite, provides visibility and enforcement across all users, folders and file activity within sanctioned SaaS applications, providing detailed analysis and analytics on usage without requiring any additional hardware, software or network changes.

Now supported by Hunters, Prisma SaaS events include raw logs, alerts, policies, and more. The new integration includes:

  • Prisma SaaS API connection.
  • Data transformation into the data lake.
  • Mapping of the data to the Login Unified Schema.
  • Alerts created over the incident log type.
Note:

The Prisma SaaS API implements an event stream in which one event is sent on each API call. For large enterprises, this might lead to a delay in ingestion while emptying the queue.

Learn more here.

MimeCast

Hunters now supports the integration of Mimecast Message Held Release Logs - a record of all emails that are released from Mimecast's held queue. The logs contain information about the email, such as the sender, recipient, subject, body, and the reason for release.

The integration includes:

  • Collecting data from the MimeCast API.
  • Transformation of the data into the data lake.
Note:

Currently, this integration requires the help of Hunters Support to be set up.

Learn more here.

Detection

New detectors

🔎 Possible exfiltration of file from Office 365

Detector ID: office365_possible_file_exfiltration

Onedrive and Sharepoint store internal files for organizations. Malicious actors may utilize permissions to these applications and exfiltrate large amounts of files that might be sensitive.

This new time series detector identifies a large number of downloads for distinct files, throughout a period of time, to signal possible file exfiltration.

🔎 Suspicious usage of Office 365 eDiscovery compliance search

Detector ID: office365_suspicious_ediscovery_usage

eDiscovery is a compliance search feature in O365. It can be used by attackers to run searches on Sharepoint files as well as mailboxes within the organization. Malicious actors could use the search in order to gain access to confidential information or to exfiltrate data from the organization.

The detector looks for searches created and deleted in a short period of time, which might indicate an attacker trying to cover up the searches performed.

Modified detectors

🔎 Suspicious App Impersonation in O365 Exchange

Detector ID: o365_suspicious_app_impersonation

In order to match Office 365 terminology we changed an attribute name in from organization_server to originating_server.

This will affect the consumption of the detector’s leads using our API.