Note
This article was originally published on September 20, 2024.
Product updates
New Filtering Experience on the Leads Page
To promote UX consistency throughout the Hunters platform, we’re excited to introduce new filtering and sorting capabilities on the Leads page. These enhancements include:
New page filter component: Consistent filters across the platform, aligning with the experience in the SOC Queue and other areas.
Comprehensive filtering options: Access to all lead filters, ensuring a reliable and smooth process for tuning and threat hunting.
New filter options: Access to our latest filters, including asset tags and more, further enhancing your ability to drill down into the data you need.
This improvement streamlines the entire user experience, making hunting processes more efficient and intuitive.
New Timestamps in the Get Leads API
On Sunday, September 22, we will add 2 new timestamp fields to the Get Leads API endpoint. These will provide you with better visibility into the timeline of the lead and will allow you to gain visibility for measuring time-to-detect.
event_end_time- The end time of a time period, or the time of the most recent event included in the aggregate event. In case the lead is created on one event, theevent_end_timewill be equal to theevent_time.ingestion_time- The time when the event was inserted into the data lake. In case of an aggregate event, this will be the insertion time of the most recent event.
Microsoft Event Hub Ingestion
Hunters now supports the ingestion of selected Microsoft data types using the Azure Event Hub module. Azure Event Hub is a fully managed, real-time data ingestion service designed to stream and process large volumes of events. It enables reliable and scalable data pipelines, supporting analytics and real-time monitoring across distributed systems.
This seamless ingestion method replaces the intermediary storage solution used until now to ingest logs from Microsoft. Currently, the Event Hub method can be used to ingest the following data types:
💡Learn more
Integrations
Meraki Auth Users
The Meraki Auth Users logs list the users configured under Meraki Authentication for a network (splash guest or RADIUS users for a wireless network, or client VPN users for a MX network). Data is gathered using an API connection with Meraki.
The new integration includes:
Ingestion of the data to the data lake
Mapping the data to IOC Search
Learn more here
SAP
SAP Security Audit Logs
The security audit log is a tool designed for auditors who need to take a detailed look at what occurs in the SAP system. By activating the audit log, you keep a record of those activities you consider relevant for auditing. You can then access this information for evaluation in the form of an audit analysis report.
Data is gathered using an intermediary AWS S3 bucket.
The new integration includes:
Ingestion of the data to the data lake
Mapping the data to IOC Search
Mapping to the Hunters Login Schema
Learn more here
SAP S/4HANA Security Audit Logs
SAP S/4HANA Security Audit Logs are essential tools for tracking and monitoring system activities within the SAP environment, ensuring compliance and enhancing security. They capture detailed records of critical actions, such as user logins, changes to system configurations, and access to sensitive data, allowing administrators to detect suspicious activities or unauthorized access.
Data is gathered using an API connection with SAP.
The new integration includes:
Ingestion of the data to the data lake
Mapping the data to IOC Search
Mapping to the Hunters Login Schema
Learn more here
Microsoft
Azure Kubernetes Service
Azure Kubernetes Service (AKS) is a managed container orchestration service provided by Microsoft Azure that simplifies the deployment, management, and operations of Kubernetes. AKS automates the provisioning, upgrading, and scaling of resources, allowing developers to focus on building and maintaining applications rather than managing the underlying infrastructure.
Data is gathered using Azure Event Hub.
The new integration includes:
Ingestion of the data to the data lake
Mapping the data to IOC Search
Mapping to the Hunters K8s Schema
Learn more here
Azure Application Gateway WAF
Azure Application Gateway Firewall is a web application firewall (WAF) that provides centralized protection for your web applications from common threats and vulnerabilities. It helps to secure your applications by filtering and monitoring HTTP requests, offering protection against SQL injection, cross-site scripting, and other web-based attacks.
Data is gathered using Azure Event Hub.
The new integration includes:
Ingestion of the data to the data lake
Mapping the data to IOC Search
Mapping to the Hunters Network Schema
Learn more here
Azure Purview
Microsoft Purview logs provide detailed records of activities related to data governance and compliance across an organization's data estate. These logs capture information on actions such as data classification, access requests, policy enforcement, and auditing activities within Microsoft Purview.
Data is gathered using Azure Event Hub.
The new integration includes:
Ingestion of the data to the data lake
Mapping the data to IOC Search
Learn more here
Microsoft Defender Identity Query
Defender XDR Identity Query logs provide detailed insights into identity-related activities within an organization's environment. These logs capture data on user authentication events, access patterns, and anomalies across various resources, helping security teams detect and investigate potential identity-based threats.
Data is gathered using Azure Event Hub.
The new integration includes:
Ingestion of the data to the data lake
Mapping the data to IOC Search
Learn more here
Detection
New detectors
🔎 API calls invoked by known attacking tools
Detector ID: aws_malicious_user_agents
We're introducing a new detector that identifies API calls made by known attacking tools by analyzing the User-Agent field in requests.
This detector leverages the fact that many open-source attack tools include project names in their User-Agent strings, providing a unique opportunity to detect malicious activity.
🔎 Suspicious silent execution of cmd.exe
Detector ID: edr_cmd_suspicious_silent_execution_patterns
The detector looks for the execution of cmd.exe (Command Prompt) with the “Echo Off” flag (“/Q”). This flag is known to be used as part of different tools, including tools of the Impacket Python collection, such as the well-known Wmiexec.
In addition, this detector might identify different attack tools’ usage and manual executions of cmd.exe that share the characteristic of silent execution (Echo Off) with Impacket tools.
In cases that WmiPrvSE.exe is the initiating process, investigating the content of its child processes’ executed command of all the child processes of the initiating “WmiPrvSE.exe” can be used to get a better understanding of the intent behind the suspicious execution. In addition, it is recommended to look for incoming traffic over port 135 toward the investigated host, to try and identify the source of suspicious execution in case of Wmiexec usage.
Modified detectors
🔎 Possible use of a stolen or forged user ticket (TGT)
Detector ID: windows_event_forged_or_stolen_user_ticket
We've made significant improvements to the "Possible use of a stolen or forged user ticket (TGT)" detector to enhance accuracy and reduce noise. The update introduces several changes: filtering out legitimate service requests for entire domains (e.g., .local, .com), comparing %krbtgt% instead of just krbtgt to account for variations in account representation, and fixing edge cases where account names were not normalized.
Additionally, we've refined other settings to further reduce noise and improve detection closer to real-time. These enhancements aim to refine the detector's performance while maintaining accuracy in threat identification.
🔎 SentinelOne Threats
Detector ID: sentinelone_threat
We've improved the SentinelOne Threats detector as part of our ongoing internal quality monitoring efforts.
This 3rd-party detector has been generating a high volume of leads, significantly contributing to the SOC queue. To better manage this, we’ve refined the detector’s logic by performing the following changes:
Adjusted the global custom rule to decrease severity for leads with a mitigation status of "Mitigated."
Lowered the confidence level for leads with a "Mitigated" status and an analyst verdict other than "True positive."
Set the confidence level to minimum for leads marked as "Benign" or those with a "False positive" analyst verdict.
These updates are expected to reduce the number of leads entering the SOC queue by approximately 20%.
🔎 “Potential brute-force attempt” and “Password spraying attempt on multiple accounts”
Detector ID:
windows_event_password_brute_force_attempt_ts
windows_event_password_spraying_attempt
The detectors above have been adjusted to improve their coverage by catching more events that are relevant to the detector's purpose. The following changes have been made:
Adjusted thresholds to better align with the expanded coverage.
Added new event statuses to the detectors' logic, allowing them to generate leads for more event scenarios.
These updates will enable the detectors to generate more leads and detect a wider range of relevant cases.
🔎 File signed by Sysinternals detected
Detector ID: cb_platform_sysinternals_signature
During internal quality monitoring, this detector was identified as a "silent detector"—meaning it hadn't generated leads for an extended period of time. Upon reviewing its performance, we discovered opportunities to refine its logic and increase coverage to provide more accurate detection.
🔎 Mailbox export request - suspected Proxyshell exploitation
Detector ID: edr_exchange_mailboxexportrequest
During internal quality monitoring, this detector was identified as a "silent detector"—meaning it hadn't generated leads for an extended period of time. Upon reviewing its performance, we decided to expand its coverage by adding more detection methods for the anomaly.
These enhancements will help the detector produce leads, and increase its effectiveness in identifying threats in the environment.