Note
This article was originally published on July 30, 2024.
Product updates
New tenant navigator for multi-tenant accounts
We are excited to introduce a new tenant navigator for multi-tenant accounts, designed to streamline your workflow and improve efficiency.
While previously you had to scroll through the entire tenant list to find the required tenant, now you can search for tenants by name and organization, making it easier to locate the specific tenant you need.
You can now open tenants in a new tab for better multitasking. The Recent Tenants functionality lets you quickly access tenants you've interacted with recently. Additionally, you can hide tenants based on category, keeping your workspace organized and focused. The updated switch context user experience provides a clear and intuitive interface for navigating between tenants.
Integrations
Netscaler Application Firewall
NetScaler AppFW is a web application firewall that provides comprehensive security for web applications by protecting them from various types of attacks, including SQL injection and cross-site scripting. It offers advanced features such as application behavior profiling and signature-based detection to ensure robust protection and compliance with security standards.
The new integration includes:
Ingestion of the data to the data lake
Mapping the data to IOC Search
Mapping to the Hunters Web Requests Schema
Learn more here
GitLab Audit Logs
GitLab is a web-based DevOps lifecycle tool that provides a Git repository manager offering wiki, issue-tracking, and CI/CD pipeline features, using an open-source license. It enables collaborative software development and version control, allowing teams to manage projects from planning and source code management to monitoring and security.
The audit log allows organization admins to quickly review the actions performed by members of their organization. It includes details such as who performed the action, what the action was, and when it was performed.
The new integration includes:
Ingestion of the data to the data lake
Mapping the data to IOC Search
Learn more here
Detection
New detectors
🔎 Execution of multiple situational awareness database commands in a short period on a Snowflake account
Detector ID: snowflake_query_awareness_behavior
Adversaries often use situational awareness commands on databases to discover critical information such as the location of sensitive data, user roles, and permissions, which helps them plan targeted attacks and privilege escalation. By listing and describing databases, tables, and schemas, as well as enumerating permissions, attackers gather insights that enable more effective and precise exploitation.
This detector checks the query_history table from both Snowflake accounts: account usage and reader account usage. The account usage contains auditing of the queries that were executed from this account and reader account usage contains auditing of the queries that were executed, but only the ones that are related to reader accounts.
In short, the detector detects an execution of multiple situational awareness database commands in a short period (30 minutes) on a Snowflake account.
Recommended investigation steps:
Review user activity to determine if the commands were executed by a legitimate user or a compromised account.
Audit the roles and permissions granted to the user or account that executed the commands and identify any excessive or inappropriate permissions that could have been exploited.
Contact the user and ask him if he ran those commands.
For the usage_account user - check from which IP the user ran the commands by querying the sessions table (using the session_id column).
Investigate the source IP, its location, anomalies in login times, if it is found in any IOC or threat intel platform, or if it is known and used to log in to Snowflake previously.
Investigate the user and check with which client applications it usually logs in with. Look up the client application and what it could be used for.
Modified detectors
🔎 Plain text password discovery
Detector ID: edr_plain_text_password_discovery
Following examinations, we’ve made the following adjustments to the Plain text password discovery detector.
Extended coverage:
Added coverage for cases where password files with the same name were accessed but on different machines.
The detector was effective only on sources with Windows Sid field (CS, MDATP). Replacing the Windows Sid field with the username field extracted from
target_file_path, enabled us to extend coverage for all EDRs.To support the advantages of the group by username as described above, we added the field
user_folder_nameto all EDR file events sources.Revised the password file names list to cover more use cases.
Reduced Noise:
We now filter on the
createaction (not includingrename,delete, etc.)Filtered out less relevant file types (e.g., PDF), as well as cases where the initiating process is related to the Ivanti suite.
Disabled detectors
🔎 User first seen using remote logon
Detector ID: windows_event_rdp_with_new_username
After intense examination, we’ve decided to disable the ‘User first seen using remote logon’ detector. The detector was found to be inconsistent in its behavior and did not meet Hunters’ detection quality standards.