December 2023

  • Published on Dec 14, 2023
Prev Next

Product updates

New and updated user roles

Hunters Roles got a much-needed update and are now more elaborate and organized than before.

New roles

Hunters is introducing new roles to serve the different members of the security team and their responsibilities. Including Analyst, Advanced Analyst, Security Engineer and Data Engineer. The Analyst role is dedicated to monitoring and managing security information, while the Advanced Analyst extends these responsibilities to include detection creation and tuning. Security Engineer focuses on configuring settings and thresholds, and Data Engineer specializes in managing critical data sources.

Our MSSP partners will further benefit from the MSSP Client role, providing read-only access for observing security status and contributing to data onboarding. These roles ensure a more specialized and efficient approach to our security operations.

image.png

New structure

The roles are now separated into 3 groups that will allow you to better navigate between the different roles:

  • Generic roles - several SOC team functions such as Analyst, Advanced Analyst, Data Engineer, and more.
  • Feature-based roles - specific to a feature and providing them to a user will give the user access to the specific feature.
  • MSSP-related roles - mostly relevant to MSSPs and their unique workflows.

Learn more about Hunters Roles and Permissions.

Account navigation improvements

As Hunters continues to support multi-tenant organizations and MSSPs, we’ve implemented several improvements to allow users to navigate freely between tenants and accounts on the Hunters platform. SOC teams can now easily explore and work on the platform while ensuring each team member is exposed only to the permitted information.

Multi-tenant deployment

As part of Hunters’ multi-tenant deployment, tenants could be created under the same workspace, also known as parent tenant. Users can be invited to join one or more of these tenants within the same workspace. If a user has the Switch Account role, they can easily switch between these tenants using the account navigator in the top right corner.

image.png

Adjustments to account navigator

Previously, users could see the full list of tenants in the navigator under their workspace, even those they didn’t have access to. This posed a security risk in exposing information to unpermitted users.
Now, users will only see the tenants they’ve been explicitly invited to. This prevents them from attempting to access tenants they don’t have permission to enter.

Switching between workspaces

Users can now also switch between different workspaces if they have been invited to tenants under those workspaces. This enhancement is particularly useful for MSSPs and other organizations with the need to access multiple workspaces, such as NFR workspaces, and supports more intricate client hierarchies.

Data source health monitoring

You can now stay informed and updated about the health status of your connected data sources, under the Data Sources page.

image.png

You can monitor the health status of each data flow and determine if it’s functioning as expected or experiencing an issue. When something prevents Hunters from ingesting data from the connected data source, the system can point to the reason and recommend mitigation steps

Learn more about data source health monitoring.

Updates to GET/leads API endpoint

  • The GET/leads response was enhanced with the following fields:

    • is_alert - Boolean field describing whether this lead graduated into an Alert.
    • threat_description - The description of the threat cluster this lead is part of.
    • classification - The malicious classification attached to this lead. Valid values: none, malicious, benign, unknown.
    • data_flow_tags - Tags added to the data flow from which the lead originated.
    • detector_title - The title/name of the detector that detected this lead.
    • detector_id - The ID that is being generated for Custom Detectors upon creation. Additional information that could be used with the Hunters Detection as Code APIs.

  • On December 18th, we will deprecate the legacy fields score and maliciousness in the GET/leads response. These fields are remnants of Hunters’ legacy scoring system, which was deprecated two years ago.

Detection latency improvements

We’ve recently succeeded in reducing latency issues we were encountering in detectors that relied on non-continuous data flows, particularly with geo IP data and organizational IP data.

Integrations

Acalvio

Hunters now supports integration with Acalvio Shadowplex Deception Incidents, containing logs from Acalvio’s Deception component.

The new integration includes:

  • Transformation of the data into the data lake.
  • Mapping of the source to IOC Search.
  • The data can be leveraged in the Hunters custom detection feature for creating custom logic over the data.

Learn more here

Snowflake

You can now connect your Snowflake logs to Hunters. This connection will allow you to access Snowflake DB tables and includes the following data types:

  • snowflake-query-history
  • snowflake-login-history
  • snowflake-reader-account-query-history
  • snowflake-reader-account-login-history

Currently, the integration is only available for Partner Connect customers, but we are in the process of elaborating it to Hunters Hosted Reader Account customers as well.

Learn more here

Crowdstrike FileVantage

A new data type from Crowdstrike is now supported - Crowdstrike FileVantage. FileVantage provides data about changes made to resources and files as defined in Crowdstrike FileVantage policies and rules.

The new integration includes:

  • Collection of the data via the crowdstrike API
  • Transformation of the data into the data lake.
  • Mapping of the source to IOC Search.
  • The data was not mapped as an alert, as the events’ fidelity was not high enough. Customers can leverage the data for custom analytics with aggregations if needed.

Learn more here

Vicarius

Hunters now supports an integration with Vicarius. Vicarius is an all-in-one vulnerability assessment and management solution, allowing you to run a real-time and network scan and analyze proprietary and niche applications for vulnerabilities.

This integration currently includes the Vicarius Event logs data type, containing logs from Vicarius Vulnerabilities and Assets Management Solution.

The new integration includes:

  • Collection of the data via the Vicarius API.
  • Transformation of the data into the data lake.
  • Mapping of the source to IOC Search.
  • Mapping of the source to Vulnerability Management Findings unified schema.

Learn more here

Detection

New Detectors

🔎 Possible password spraying

Detector ID: login_logs_password_spraying

Password spraying is a subtechnique of brute force. It describes an attacker who tries to log into multiple unique users in the organization in the hopes of finding one that uses weak passwords.

Threat actors usually use password spraying as a method of brute forcing into organizational accounts. This behavior can indicate an IP address, which does not belong to the organization, attempting to log in to multiple organizational users without success. It is recommended to check whether the IPs are in fact part of the organization and whether they appear as part of threat intel feeds. It should also be looked at whether the password spraying attempt succeeded if there were successful logins from the IP address involved in the lead.