Product updates
User and role management over API
Introducing a completely new Hunters API endpoint for managing users and roles. This new endpoint allows you to perform many user management procedures over API, including pulling lists of all users, organizations and roles, creating a new user, assigning and unassigning roles to a user, removing users, and more.
We believe this new offering will contribute to your user management process and will benefit your organization greatly, especially in multi-tenant organizations, by improving change management capabilities:
- Effortless access management: streamline access levels to Hunters
- Dynamic updates: stay in sync with IAM and IDP for seamless changes
- Scalability: scale without limits for all your tenants
For a detailed dive into the capabilities and implementation click here.
Real-time custom detection
Until recently, custom detectors ran continuously on newly ingested data in 60-minute intervals. Understanding that detecting risk is a time-sensitive matter, we’ve recently made a significant improvement in this area, cutting down the interval time to 10 minutes. Today, we are happy to share that we have further reduced the interval time by 50% which means custom detectors will now run in 5-minute intervals. This will provide you with leads closer to the incident time, allowing you to triage and act rapidly.
Learn more about custom detectors
Integrations
Cisco
We’ve recently added 2 new data types from Cisco to Hunters:
Cisco Switch
Hunters now supports a new Cisco data type: Cisco Switch logs. These are logs gathered by Cisco Switch related to your network traffic, including any errors or issues that occurred.
The new integration includes:
- Transformation of the data into the data lake
- Mapping of the source to the Network Unified Schema
- Mapping of the source to IOC Search
Learn more here
Cisco WLC
Cisco WLC contains syslog messages from Cisco Wireless LAN Controllers. Hunters now supports this type of log as part of the growing Cisco integration offering.
The new integration includes the transformation of the data into the data lake.
Learn more here
AWS Cloudwatch
A new AWS integration was added to Hunters - AWS Cloudwatch logs, which is the latest addition to the growing coverage of AWS logs. Cloudwatch by Amazon is used to monitor, store, and access log files from Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS CloudTrail, Route 53, and other sources.
The new integration includes the transformation of the data into the data lake.
Learn more here
Mulesoft
MuleSoft, a part of Salesforce, specializes in providing integration solutions to facilitate the connection between applications, data, and devices across both on-premises and cloud environments. Hunters now supports Mulesoft Application logs.
The new integration includes the transformation of the data into the data lake, but was not found suitable to Unified Schema or IOC Search.
Learn more here
Claroty
Claroty SRA
Hunters now supports a new data type from Claroty - Claroty SRA, containing logs from Claroty’s Secure Remote Access component.
The new integration includes:
- Transformation of the data into the data lake
- Mapping of the source to the Network Unified Schema
- Mapping of the source to IOC Search
Claroty CTD Events
You can now connect Claroty CTD Events independently on the Hunters platform, without the need for Hunters Support. With this change, both available Claroty data types are self-service integrations.
Learn more here
Zerofox Native Alerts
Zerofox logs are now mapped to native alerts. This means that native alerts provided by Zerofox will appear as leads on Hunters.
Learn more here
Detection
New Detectors
🔎 High number of unauthorized http requests performed
Detector ID: web_requests_excessive_unauthorized
This is a time series detector from the Web Requests content pack, creating a baseline for IPs that access distinct paths within the organization’s web servers. It detects a high number of unauthorized http requests.
Threat actors use automated tools that perform scanning and try to exploit web servers. This behavior can indicate that an automated tool is being used to scan your environment. It is recommended to check the IP address used to reform the request and look for additional suspicious activity related to the requests that are part of the lead.
🔎 Export credentials via Windows Credential Manager (WCM) wizard
Detector ID: edr_export_creds_via_wcm_wizard
Threat actors might access the WCM wizard and backup (export) stored Windows credentials to a file (.crd by default). The file can then be retrieved and imported on an attacker-controlled computer to list the credentials. The clear text passwords can be revealed in several ways including password recovery software or tools that grab the passwords from memory (e.g., Mimikatz).
The detector looks for export attempts of credentials records using the backup function in Windows Credential Manager (WCM) wizard. Any click on the “Back up Credential” button in the WCM wizard triggers the following command credwiz.exe B
🔎 High number of internal server error http requests performed
Detector ID: web_requests_excessive_internal_server_error
This detector, from the Web Requests content pack, is similar to the “High number of unauthorized http requests performed” detector above, which looks at unauthorized requests. However, unauthorized requests might indicate an attacker trying to scan the environment whereas internal server error might indicate bugs but also attackers trying to exploit vulnerabilities within a web application.
Modified detectors
🔎 Suspicious Execution Under Mounted ISO Volume
Detector ID: cs_execution_under_mounted_iso
Originally, this detector was intended to detect a scenario where the user clicks an ISO and then clicks the executable file. To do that, the detector looks for executions that were initiated by the same explorer.exe process as the ISO mount.
An investigation revealed that when the ISO mount was initiated by dllhost.exe and the binary execution was initiated by explorer.exe, no leads were generated.
We’ve now modified this detector to detect this scenario as well as the original logic.