July 2024 (1)

  • Updated on Jul 10, 2024
  • Published on Jul 10, 2024
Prev Next

Note

This article was originally published on June 14, 2024.

Product updates

Custom views in the SOC queue

As the latest addition to the SOC Queue, the SOC Queue tabs allow you to create customized views of the SOC Queue based on selected filters, and to share them with team members to align on open tasks and work processes.

With the SOC Queue tabs, you can:

  • Create tailored views - Customize and share views to align with your team and processes.

  • Manage watchlists - Focus on critical assets and proactive threat hunting.

  • Boost productivity - Optimize your workflow for maximum efficiency.

  • Handle multiple queues - Streamline your operations with ease.

Learn more here

Revamped Detectors page

Hunters is excited to share the new and improved Detectors page, sporting a new design and enhanced functionality. The new Detectors page is a huge leap forward in promoting transparency of Hunters’ security content.

  • With this new capability, customers can easily answer questions like:

  • How many detectors are active in my environment?

  • Which detectors do we have for a specific data source?

  • How many custom detectors are configured (and active) in my environment?

  • Which detectors have the option to generate alerts?

  • How many leads/alerts/clusters are generated by a detector in a specific time frame?

  • Which detectors are noisy and require fine-tuning?

  • Which detectors have custom scoring rules and how many?

Learn more here

API for Custom Scoring Rules management

🚧 Note

This feature is in open Beta status and is subject to feedback. Changes and adjustments to this feature may occur.

Hunters’ new Leads Scoring API endpoint introduces a powerful enhancement to the Hunters platform, enabling users to programmatically create and manage custom scoring rules. Hunters' Leads Scoring API is used together with the Hunters Detection Language to filter the desired leads on which rules will be applied.

📘What are custom scoring rules?

Custom Scoring Rules are a way to fine-tune your detectors to your environment and needs. They allow you to easily suppress or change the risk score of alerts based on different conditions.

This feature is the latest addition to Hunters’ growing Detection-as-Code toolbox, allowing you to integrate threat detection mechanisms with the software development lifecycle (SDLC).

This allows teams of various sizes to create advanced automations, and adopt software development lifecycle principles to their fine-tuning activity.

Useful resources:

SQL Custom Detectors in the Detectors API

Announcing the general availability of SQL Custom Detectors!

This new feature enables you to create advanced custom detectors by defining SQL queries, which will be continuously executed in your security data lake and generate leads for any result.

With SQL custom detectors, you can enjoy endless flexibility in defining your detection logic - from complex data manipulation using SQL functions, to utilization of SQL joins for combining different data streams, or really anything else available in your data warehouse’s SQL dialect.

Raw SQL detectors can be implemented in 2 ways:

  • Raw SQL Auto - In Auto mode, Hunters controls the time management and progression of the query. For that to happen, you will name the primary table for which time management will be owned by Hunters. Only tables where ingestion is performed and managed by Hunters are supported (including custom data sources).

  • Raw SQL Scheduled - In Scheduled mode, you define the schedule in which the detector will trigger, using a cron expression.

Useful resources:

Improved lead view

As part of our ongoing initiative to increase visibility and clarity of Hunters’ security content, and based on customer interviews, we’re excited to introduce a new view of lead details that will greatly improve the SOC analyst’s experience.

These enhancements include:

  • Streamlined Navigation: Say goodbye to unnecessary clicks! Our new UI introduces a convenient collapse/expand all option, saving you time and effort as you navigate through leads.

  • Enhanced Visibility: We understand that sometimes crucial content can get overlooked. That's why we're exposing all enrichments and attributes by default, ensuring that no detail goes unnoticed.

  • Improved Accessibility: We're bringing Lead activity to the front by integrating it into the Summary page, making it easier to find and even know it exists. You can also export all lead activity items as a CSV file.

  • Copy-paste Quickly: Copying values just got a whole lot easier. Our new quick-copy functionality allows you to swiftly duplicate any information you need, streamlining your workflow and boosting productivity.

New Workflow triggers

The below triggers were added to the Hunters triggers in Hunters Workflows for Bi-Directional Support, to ensure the accurate status of a security case is maintained in both Hunters and the ITSM tool.

  • Lead Was Managed - Whenever a Lead is managed on Hunters, it will trigger the recipe to run. You can choose from the following managed events: Status Change, Assignee Change, and Classification Change.

  • Story Was Managed - Whenever a Story is managed on Hunters, it will trigger the recipe to run. You can choose from the following managed events: Status Change, Assignee Change, Title Change and Tag Change.

  • New/Updated Comment - Whenever a Comment is added or updated on Hunters Leads, Stories or Threat, it will trigger the recipe to run. You can choose from the following managed events: New Comment, Updated Comment and Deleted Comment, as well as the resource that was commented Leads, Stories, and Threats.

Learn more here

Integrations

Armis

Armis Alerts are real-time notifications generated by the Armis platform to inform security teams about potential threats and vulnerabilities within an organization's network. These alerts provide detailed information about suspicious or malicious activities detected across managed and unmanaged devices, including IoT and OT assets. By offering contextual insights and prioritizing alerts based on risk levels, Armis Alerts enable swift and informed responses to security incidents, helping organizations mitigate risks and protect their critical infrastructure and data effectively.

The new integration includes:

  • Ingestion of the data to the data lake

  • Mapping the data to IOC Search

  • Native alerts

Learn more here

AWS Transit Gateway Flow Logs

AWS Transit Gateway flow logs provide detailed information about the IP traffic traversing through an AWS Transit Gateway, which connects VPCs and on-premises networks. These logs capture metadata such as source and destination IP addresses, ports, protocols, and the number of packets and bytes transferred, allowing administrators to monitor, analyze, and troubleshoot network traffic.

The new integration includes:

  • Ingestion of the data to the data lake

  • Mapping to Hunters’ Network schema

  • Mapping the data to IOC Search

Learn more here

Linux IP Tables (Shorewell)

Linux iptables is a powerful utility for configuring network packet filtering rules in the Linux kernel. By setting up logging rules within iptables, administrators can monitor and record network traffic for analysis and troubleshooting. These logs can provide detailed information about the source and destination IP addresses, ports, protocol types, and the action taken by the firewall (such as ACCEPT or DROP).

The new integration includes:

  • Ingestion of the data to the data lake

  • Mapping to Hunters’ Network schema

  • Mapping the data to IOC Search

Learn more here