January 2024

  • Updated on Jan 4, 2024
  • Published on Jan 3, 2024
Prev Next

Product updates

Data ingestion from GCP buckets

In addition to ingestion via an AWS S3 bucket, Hunters now allows selected log types to be ingested using a GCP bucket in a Self-Service Ingestion method.

image.png

This collection method is currently available only for GCP Audit logs and for Palo Alto Network EDR Raw Logs. The process requires you to create a GCP service account with Storage Object Viewer and Storage Insights Collector Service permissions. You’ll also need to add a key to the service account, which you will download as a JSON file. Then, after setting up the required bucket permissions, you’ll upload the JSON key file to Hunters.

Learn more here

Upcoming terminology changes

In an effort to simplify the Hunters experience, and after conducting user research into the matter, we've decided to slightly update the Hunters terminology.

In the upcoming weeks you will see the following changes on the Hunters platform:

  • Analytic will become Detector.
  • Native alert will become 3rd party lead.
  • Mega-entity will become Entity.

Integrations

Cisco

Cisco VPN

Hunters now supports a new data type from Cisco: Cisco VPN Auth logs from Cisco AnyConnect.

The new integration includes:

  • Transformation of the data into the data lake.
  • Mapping of the Access source to IOC Search.
  • Mapping of the Access source to Login Schema.

Learn more here

Meraki Air Marshal

Another new Cisco log type is now supported by Hunters: Meraki Air Marshal logs. Cisco Meraki’s Air Marshal mode allows network administrators to design an airtight network architecture that provides a WIPS platform to protect the airspace from wireless attacks.

This new integration contains logs from on-prem Meraki appliances on internal LAN logs and incidents.

The new integration includes:

  • Ingestion of the data into the data lake through AWS S3 storage.
  • Support in custom detections.

Learn more here

Jamf Server

Hunters supports new log types from Jamf Server, the Jamf on-prem component: Jamf System Access Logs and Jamf System Change Management Logs.

The new integration includes:

  • Transformation of the data into the data lake.
  • Mapping of the access source to IOC Search.
  • Mapping of the access source to Login Unified Schema.

Learn more here

Abnormal Security

The integration with Abnormal Security was recently revamped to include the following:

  • Support in self-service ingestion.
  • Transformation of the data to the data lake.
  • Native Alerts written over the data.
  • Mapping of the data to the IOC Search feature.

Learn more here

Imerpva Incapsula

Hunters now supports the ingestion of logs from Imperva Incapsula Cloud WAF solution. These include access and event logs from the Imperva Incapsula cloud repository and archive.

The integration includes:

  • Transformation of the data into the data lake.
  • Mapping of the data to the Hunters Web Requests Schema.
  • Mapping to the IOC Search feature.

Learn more here

Keeper

Hunters now supports the ingestion of logs from Keeper - a provider of zero-knowledge security and encryption software covering password management, secrets management, connection management, dark web monitoring, digital file storage, secret messaging, and more.

The new integration includes:

  • Ingestion of the data into the data lake through AWS S3.
  • Mapping of the data to the Hunters Login schema.
  • Mapping of the data to the IOC Search feature.

Learn more here

BeyondTrust

BeyondTrust's Privileged Access Management (PAM) solution is designed to provide protection over privileged accounts, which are often targeted by cyber attackers to gain unauthorized access to critical systems and sensitive data.

The new integration includes:

  • Collection of the data via the API.
  • Ingestion of the data to the data lake, for 2 data sources:
    • BeyondTrust Events - events captured on the endpoint by BeyondTrust.
    • BeyondTrust Activity Audit - audit events from the BeyondTrust console.
  • Mapping of the Events data to the Hunters EDR Process and EDR Logon schemas.
  • Mapping of the Events data to the IOC Search feature.

Learn more here

Zscaler Zia Audit

Zscaler ZIA Audit logs save actions of every admin in the ZIA Admin Portal and the actions that occur through the Cloud Service APIs. Hunters now supports the integration of these logs as part of its Zscaler ingestion offering.

The new integration includes:

  • Ingestion of the data to the data lake.
  • Mapping of the data to the Hunters Login schema.
  • Mapping of the data to the IOC Search feature.

Learn more here

Snowflake

Until recently, the Snowflake integration was available only to Partner Connect customers. We’re glad to share that this data source is now open to all customers.

Learn more here

Detection

New Detectors

🔎 Potential Payload Retrieval from a New WebDAV Server

Detector ID: proxy_new_webdav_payload_retrieval

This is a detect-changes detector that looks for an outgoing WebDAV (GET) request to a new server.

The detector detects a WebDAV-hosted payload retrieval through an HTTP GET request using the WebDAV protocol (identified by the default WebDAV user agent) from a new server. This request may be initiated either when a user is tricked into clicking a file referencing a WebDAV-hosted payload, or programmatically as part of a prior stage of the attack.

🔎 Suspicious Conhost.exe Indirect Execution

Detector ID: edr_conhost_indirect_execution

conhost.exe was introduced with Windows 7, and it acts as a bridge between old-school crss.exe and cmd.exe. Conhost can be used to execute arbitrary executables, known as Indirect process execution. The idea behind this is to use conhost.exe as a loader to break up a process-child relationship in order to evade security products and detections. Threat actors, particularly initial access brokers, often employ indirect process execution through conhost.exe as a key method in their initial access infection strategies.
This detector, developed as part of Team Axon’s threat-hunting efforts, finds unusual conhost.exe indirect executions involving discounting typical scenarios, like console sessions linked to physical or virtual consoles.

Modified Detectors

Noise reduction and fidelity improvements

We’ve recently improved the following web request detectors:

  • Web Application SQL Injection (web_server_sql_injection)
  • Web Path Traversal Attempt (web_path_traversal)

Both detectors trigger leads on SQLi / Path Traversal attempts (grouped hourly). To improve fidelity, we added a filter on SUM(is_request_successful) > 0, so leads will be triggered only if the attempts include at least one successful attempt. Furthermore, we’ve adjusted the filters on SQLi to remove some very noisy use cases.

These modifications are expected to lower the noise for SQLi by 80% and for Path Traversal by 33%.

Removal of irrelevant data sources from web request detectors

Starting Dec 24, 2023, the web request detectors listed below won’t run on the following data sources: Zscaler Internet Access (ZIA), IBoss Web Activity, Cisco Umbrella Proxy, Symantec Cloud SWG.

The web request detectors:

  • Web Application SQL Injection (web_server_sql_injection)
  • Web Path Traversal Attempt (web_path_traversal)
  • Anomalous Number of Unauthorized Http Requests Performed (web_requests_excessive_unauthorized)
  • Anomalous Number of Internal Server Error Http Responses (web_requests_excessive_internal_server_error)

These 4 data sources are related to Secure Web Gateway (SWG) products. Hence, they are relevant to outbound user browsing and less to Web Application traffic directed to enterprise web servers.
As a result, it is not effective to run the aforementioned web request detectors on these data sources since the detectors look for attacks on enterprise web servers.
This change is expected to improve performance as well as to reduce noise (-66%) originated by these detectors.