Product updates
New functionalities in the SOC Queue
The SOC Queue is the place for day-to-day tasks and workload management. As such, it must be as comfortable as possible to work with. We recently added the following improvements to the usability of the SOC Queue:
New filters
The new SOC Queue filters offer much more control and flexibility over your view. You can leverage them to show only the Alert or Hot Stories you’re looking for easily. You can also use the new filters to locate unassigned Alerts, Leads, and Stories to ensure you are not missing any critical incident that requires attention.
Relocated threshold setting
Previously, you could define the Alerts and Hot Stories threshold by clicking the Alert Threshold button. For convenience, we’ve moved this option to the top of the page and changed its name to Queue Configuration, to allow for future additions to this feature.
Expanded view
For better visibility of your SOC Queue working space, you can now expand your view by clicking Hide dashboard from the upper part of the page.
Learn more about working the SOC Queue.
Integrations
Skyhigh
Skyhigh Secure Web Gateway is a web security product that protects networks against web threats. This new integration currently includes Skyhigh SWG Logs which are aggregated by the Skyhigh appliance.
The new integration includes:
- Ingestion of the data to the data lake
- Mapping Skyhigh SWG Logs to Hunters’ Proxy Events schema
- Mapping Skyhigh SWG Logs to IOC Search
Learn more here
Mikrotik
MikroTik develops and sells wired and wireless network routers, network switches, and access points, as well as operating systems and auxiliary software. Mikrotik logs provide insight into various system events and status information.
The new integration includes the ingestion of the data to the data lake.
Learn more here
pfSense
pfSense is a free and open-source firewall and router that also features unified threat management, load balancing, multi-WAN, and more. pfSesne Filter Logs, the raw filter log output format generated by pfSense software for its internal filter log, and the log output transmitted over syslog to remote hosts, is a single line containing comma-separated values.
The new integration includes:
- Ingestion of the data to the data lake
- Mapping the data to Hunters’ Network Schema
- Mapping the data to IOC Search
Learn more here
Kubernetes
Kubernetes, also known as K8s, is an open-source system for automating the deployment, scaling, and management of containerized applications. Kubernetes auditing provides a security-relevant, chronological set of records documenting the sequence of actions in a cluster. The cluster audits the activities generated by users, by applications that use the Kubernetes API, and by the control plane itself.
The new integration includes:
- Ingestion of the data to the data lake
- Mapping the data to Hunters’ Kubernetes Schema
- Mapping the data to IOC Search
Learn more here
Imperva SecureSphere WAF
A new data type from Imperva is now supported: Impreva SecureSphere WAF which includes alerts generated by the SecureSphere product.
The new integration includes:
- Ingestion of the data to the data lake
- Mapping the data to IOC Search
Learn more here
Detection
New detectors
🔎 Creation or modification of external facing Kubernetes NodePort Service
Detector ID: k8s_creation_or_modification_of_nodeport_service
Kubernetes NodePort Service exposes a chosen application outside the cluster (i.e. exposes the node the application is running on for a certain port range). Therefore, creation or modification of external facing Kubernetes NodePort Service is a possible way for a malicious actor to establish persistence in the cluster.
This new detector is looking for creation or modification of Kubernetes NodePort Service which is a method to expose an application outside the cluster.
New enrichments
We have recently added two new enrichments to the system that will provide you with more context on leads and alerts from Microsoft 365 Defender Cloud Application:
O365_file_history- This enrichment queries SharePoint and OneDrive workloads to fetch information about the suspicious file's history, including who accessed or uploaded it. It also creates a new entity of the uploader's IP if one is found.O365_threat_intel_file_info- This enrichment queries ThreatIntelligence workload to fetch interesting information and metadata that could assist in the file's investigation. The enrichment contains both metadata (size, path, last modified by and when) and information about the detection's signature (malware type).