May 2024

Cofense, formerly known as PhishMe, is a provider of comprehensive cybersecurity solutions that focus on empowering organizations to detect, respond to, and mitigate phishing threats. Their services include phishing detection and response tools, as well as training and simulation products to enhance employees' awareness and ability to identify phishing attempts.

The new integration includes:

• 2 supported data types:

  • Cofense Threat Intel Feed

  • Cofense Reports

• Ingestion of the data to the data lake

• Mapping the data to Hunters’ Login Schema

• Mapping the data to IOC Search

Learn more here

Meraki devices can generate syslog logs, which are messages containing information about system events, status, and performance. These logs can be sent to a syslog server for storage, analysis, and monitoring. Syslog logs from Meraki devices can provide valuable insights into network activity, security incidents, and device performance. By analyzing syslog logs, administrators can identify and troubleshoot issues, monitor network traffic, and ensure compliance with security policies. Meraki syslog logs can be configured to include different levels of detail, allowing administrators to customize the logging process to meet their specific needs.

The new integration includes:

• Ingestion of the data to the data lake

• Mapping the data to Hunters’ Network Schema

• Mapping the data to IOC Search

Learn more here

Darktrace Model Breaches Details are a supplement to the Alert logs. They are used to gather detailed information about a specific model breach alert, or about a device and its connections for investigation or monitoring purposes.

The new integration includes:

• Ingestion of the data to the data lake

• Mapping the data to IOC Search

Learn more here

Alibaba Bastion

Alibaba Cloud Bastion Host is a secure, cloud-based service that provides users a unified interface to manage access to their Elastic Compute Service (ECS) instances and other cloud resources. It acts as a critical control point for administrators, allowing them to authenticate, authorize, and audit access to servers without exposing them directly to the internet. This service helps reduce the risk of external attacks while simplifying the management of permissions and credentials for organizations operating in the cloud.

The new integration includes:

• Ingestion of the data to the data lake

• Mapping the data to Hunters’ Login Schema

• Mapping the data to IOC Search

Learn more here

Alibaba OSS

Alibaba Cloud Object Storage Service (OSS) is a secure, cost-effective, and highly scalable cloud storage solution designed to store, back up, and archive large amounts of data. With its flexible storage class options, OSS allows users to optimize storage costs based on their data access patterns. It offers high availability and reliability, ensuring that data is always accessible. Additionally, OSS integrates seamlessly with other Alibaba Cloud services, making it easy to build scalable and resilient applications. Its robust security features, including encryption, access control, and data protection, ensure that data remains secure at all times. Overall, Alibaba OSS is a powerful storage solution that enables businesses to store and manage their data efficiently in the cloud.

The new integration includes:

• Ingestion of the data to the data lake

• Mapping the data to IOC Search

Learn more here

Mimecast Attachment TTP logs

Mimecast's Targeted Threat Protection (TTP) for attachments is a security feature designed to protect organizations from malicious email attachments. The "Attachment TTP" part specifically refers to the scanning and analysis of email attachments to detect potential threats such as viruses, malware, or other harmful content before they reach the end user's inbox.

The new integration includes:

• Ingestion of the data to the data lake

• Mapping the data to Hunters’ Email Activity Schema

• Mapping the data to IOC Search

Learn more here

Mimecast URL TTP logs

The URL TTP service scans, rewrites, and checks the safety of URLs contained within email messages to prevent phishing attacks, malware downloads, and other security threats.

The new integration includes:

• Ingestion of the data to the data lake

• Mapping the data to Hunters’ Email Activity Schema

• Mapping the data to IOC Search

Learn more here

Imperva Near Real Time SIEM Integration

Imperva's Near Real-Time Log Integration is a feature that enables organizations to stream security logs from their Imperva products to external SIEM systems in near real-time. This integration provides organizations with enhanced visibility into security events and enables faster incident response.

The new integration includes:

• Ingestion of the data to the data lake

• Mapping the data to Hunters’ Web Requests Schema

• Mapping the data to IOC Search

Learn more here

Imperva Attack Analytics

Imperva Attack Analytics is a cybersecurity product that leverages machine learning and artificial intelligence to provide advanced threat detection and analysis capabilities. It is designed to help organizations identify and respond to sophisticated cyber threats in real-time. Attack Analytics monitors network traffic, application logs, and user behavior to detect anomalies and suspicious activities that may indicate a security breach.

The new integration includes:

• Ingestion of the data to the data lake

• Mapping of third-party alerts

• Mapping the data to IOC Search

Learn more here

Detector ID: k8s_suspicious_high_privilege_rolebinding

Creating/updating RoleBinding or ClusterRoleBinding to an overly permissive built-in role (e.g. admin) is a privilege escalation method that lets the attacker gain highly privileged permissions that allow him to execute privileged operations in the cluster (reading secrets, creating pods, etc.). This detector is looking for the creation or modification of a RoleBinding or ClusterRoleBinding to an overly permissive built-in role which is a PE procedure to alert on such issues.

Recommended investigation steps:

• Check the activity of the Kubernetes user that created the role/cluster bind:

  • Check if this user has multiple IPs related to it from unrelated geographic places/multiple user agents (indication of compromise).

  • Check if the user created any RoleBinds in the past or if it is the first time.

• Check what other Kubernetes API requests the initiating IP did before and after the request:

  • Check if this IP has more than one user associated with it.

• Check the reputation and activity of the initiating IP address using: PulseDive, IPInfo, AbuseIPdb, etc.

• Check the details related to the Role/ClusterRoleBinding:

  • Check which role is assigned via the ClusterRoleBind/RoleBind and what it allows

  • Check on which cluster/namespace this RoleBind was created and what are the services under this area.

  • Check who is the user that got this role/cluster role, when it was created, and if it should get this permission.

Detector ID: k8s_sus_impersonation

Impersonation is an API call that lets a user perform an action using the privileges and in the name of another user. In a Kubernetes environment, the normal usage of this feature is limited to specific service accounts performing specific actions. An impersonation attempt that deviates from normal behavior might point to a threat actor abusing Impersonation privileges for privilege escalation or hiding malicious activity. This detector is looking for impersonation attempts in a Kubernetes environment to alert on such behavior.

Recommended investigation steps:

• Investigate the initiating user, his role, and his past actions

• Investigate the source IP address to find any known malicious sources

• Investigate the target of the impersonation, and understand which privileges were gained or if they have been abused.

Detector ID: k8s_service_account_request_denied

In a Kubernetes environment, service accounts serve a specific purpose and usually perform a predetermined set of actions. A denied request from a service account may indicate deviation from its normal behavior and potentially, compromise. This detector is looking for denied API requests originating from service accounts while using the detect-changes template to reduce noise from previously known requests.

Recommended investigation steps:

• Investigate the recent activity of the service account to identify the resources and namespaces it usually accesses, and compare to the requested URL.

• Investigate the requested URL and determine the risk associated with gaining access to it.

• Investigate the source IP and its recent activity to identify a compromise.

We decided to depracate the edr_commandline_contains_echo_to_base64 and edr_certutil_uses_encode_or_decode_params detectors, that contain base64 encoding or decoding techniques, due to low fidelity.

In their place, we've created a new detector to cover base64 encoding or decoding techniques. The new detector, Running suspicious command lines with Base64 encoding or decoding techniques (edr_commandline_contains_base64_encoding_or_decoding_methods) supports seven different techniques: Perl, Python, OpenSSL, Powershell, Base64, Certutil, and Node.js.

Note:

• Currently, we don’t support Poewrshell’s flags -enc and -EncodedCommands which exist in many legitimate processes and can cause many false positives alerts.

• We reduced noise by mapping a technique to the operating system that the technique is relevant to, e.g. Certutil should run on Windows machines and not Unix-based machines.

• We added built-in Ignore rules to the detector’s code that deals with VA’s agent's activity (like Rapid7, Nessus, SolarWinds), configuration scripts (docker-desktop osascript), and others.

We have identified the Potential SSO hijack detector (okta_logs_potential_sso_hijack) as low fidelity. As a result, we have decided to modify it to focus only on SSO hijacking related to browser session theft.

Browser session theft (aka “session token theft”, “session cookie replay”) is a very common adversarial technique in the past few years. The main purpose behind this technique is to enable account takeover while bypassing MFA, and can be implemented as cookie theft from the victim’s machine or by using Adversary-in-the-Middle (AitM) infrastructure.

The detector looks for multiple Okta SSO events (user.authentication.sso), originated by web browsers, of the same user in the same Okta session, from different user agents and IP addresses.
As a result of this change, the detector's name has changed to Potential Okta session hijack using browser cookies.

Whenever an aggregated detector contains IP address aggregation and there's only one IP associated with malicious activity, it will be enriched with a SaaSSourceActor entity. This enhancement facilitates automatic investigation drill-downs such as geographical location enrichment, IP activity analysis, Pulsedive enrichment, and much more, providing more contextual information. Additionally, scoring layers will dynamically adjust the risk score of the lead based on this enriched context.

If only one agent ID is detected behind the IP address during the lead's timeframe, a LocalHost entity will be created. Consequently, additional drill-downs and scoring layers will be activated.

This improvement will benefit the following detectors:

• cloudtrail_mass_rds_deletion

• cloudtrail_cloud_awareness_behavior

• cloudtrail_privilege_escalation_behavior

• cloudtrail_secrets_exfil

• cloudtrail_secrets_exfil_by_new_user

• cloudtrail_saml_replay