Read about everything that's new on Hunters.
Pull Lead details and manage clustered leads using Hunters API
We’ve updated our API offering to include clustering-related abilities. These updates will allow you to request and receive leads with their threat cluster information. Additionally, you can use these API updates to optimize and automate bulk actions on similar leads using the Hunters clustering logic.
These updates include the following:
- Get Leads based on cluster values - you can request leads using cluster filters (either threat_uuid or context_uuid) using the existing Get Leads API.
- Additional values in the Get Leads response - the Lead schema in the response will now include the following cluster information:
- Threat uuid
- Threat attributes and value
- Context uuid
- Context attributes and value
- Post comment on cluster - a new Threats endpoint now allowing you to post comments on a threat cluster.
- Perform bulk actions on leads - new APIs supporting bulk actions performed on a list of leads:
- Bulk set the assignee to a list of leads uuid
- Bulk set the status to a list of leads uuid
- Bulk set the classification to a list of leads uuid
Easily share IOC search results
From now on, you can easily share IOC search results with colleagues by simply copying and pasting the search results URL. Clicking the URL will open the IOC search you performed and its results.
Adjustments to risk score default values
Recently we’ve made some improvements to the initial scoring & SOC queue default configurations for all security alerts from third-party products (in the portal ‘Native Alerts’) in an effort to reduce False Positives and general noise.
We wanted to provide a transparent specification of the adjustments made to allow you to align your settings with these optimizations. We strongly recommend going over the confidence thresholds of Native Alerts and adjusting them according to your own unique needs.
Learn more about risk scoring.
What changed?
The table below describes the list of recalibrated detections and what changed for each detection.
The change can be in one of the following parameters:
- The alert's base confidence scoring
- The alert’s default state of appearance in the SOC queue
- The alert’s default confidence scoring threshold to appear in the SOC queue
| Detection Name | Base Confidence | SOC Queue Alert Default Appearance | SOC Queue Confidence Threshold | |||
| Old | New | Old | New | Old | New | |
| Proofpoint Tap Clicks Alerts | 7 (Likely) | 4 (Unlikely) | True | False | 1 (Very Unlikely) | 1 (Very Unlikely) |
| Proofpoint TAP Messages Alerts | 7 (Likely) | 4 (Unlikely) | True | False | 1 (Very Unlikely) | 1 (Very Unlikely) |
| SentinelOne Threats | 3 (Unlikely) | 3 (Unlikely) | True | True | 1 (Very Unlikely) | 7 (Likely) |
| CrowdStrike Falcon Native Detection | 6 (Possible) | 6 (Possible) | True | True | 1 (Very Unlikely) | 5 (Possible) |
| ProtectWise Native Observations | 3 (Unlikely) | 3 (Unlikely) | True | False | 1 (Very Unlikely) | 1 (Very Unlikely) |
| AWS GuardDuty IAM Native Alert | 5 (Possible) | 5 (Possible) | True | True | 1 (Very Unlikely) | 8 (Likely) |
| Lacework AWS CloudTrail Alerts | 5 (Possible) | 4 (Unlikely) | False | False | 1 (Very Unlikely) | 1 (Very Unlikely) |
| Mimecast Attachment Protect Native Alerts | 5 (Possible) | 4 (Unlikely) | True | False | 1 (Very Unlikely) | 1 (Very Unlikely) |
| Mimecast Anti Virus Native Alerts | 5 (Possible) | 4 (Unlikely) | True | False | 1 (Very Unlikely) | 1 (Very Unlikely) |
| Mimecast URL Protect Native Alerts | 5 (Possible) | 3 (Unlikely) | True | False | 1 (Very Unlikely) | 1 (Very Unlikely) |
| Netskope Native Alerts | 4 (Unlikely) | 4 (Unlikely) | True | False | 1 (Very Unlikely) | 1 (Very Unlikely) |
| Request from Blacklisted IP | 5 (Possible) | 4 (Unlikely) | True | True | 1 (Very Unlikely) | 5 (Possible) |
| Request from Suspicious Actor Detected on Okta | 5 (Possible) | 4 (Unlikely) | True | True | 1 (Very Unlikely) | 5 (Possible) |
| AWS GuardDuty EC2 Native Alert | 5 (Possible) | 5 (Possible) | True | True | 1 (Very Unlikely) | 6 (Possible) |
| Suspected Malware or Phishing via Email | 5 (Possible) | 4 (Unlikely) | True | False | 1 (Very Unlikely) | 1 (Very Unlikely) |
| Wiz AWS Alerts | 5 (Possible) | 4 (Unlikely) | True | False | 5 (Possible) | 5 (Possible) |
| Azure AD Sign-in Marked as Risky by Microsoft | 6 (Possible) | 6 (Possible) | True | True | 1 (Very Unlikely) | 6 (Possible) |
| Orca AWS VM Alerts | 5 (Possible) | 4 (Unlikely) | False | False | 1 (Very Unlikely) | 1 (Very Unlikely) |
| Orca Generic AWS Alerts | 5 (Possible) | 4 (Unlikely) | False | False | 1 (Very Unlikely) | 1 (Very Unlikely) |
| ADAudit Plus Alerts | 5 (Possible) | 4 (Unlikely) | False | False | 3 (Unlikely) | 3 (Unlikely) |
| Agari Native Detections | 5 (Possible) | 4 (Unlikely) | True | False | 1 (Very Unlikely) | 1 (Very Unlikely) |
| Obsidian Alerts | 5 (Possible) | 4 (Unlikely) | False | False | 1 (Very Unlikely) | 1 (Very Unlikely) |
| Microsoft 365 Defender Alerts | 5 (Possible) | 5 (Possible) | False | False | 1 (Very Unlikely) | 1 (Very Unlikely) |
| Microsoft 365 Defender Cloud Application Alerts | 5 (Possible) | 5 (Possible) | True | True | 1 (Very Unlikely) | 1 (Very Unlikely) |
| Microsoft Defender for Office 365 Alerts | 5 (Possible) | 4 (Unlikely) | True | True | 1 (Very Unlikely) | 1 (Very Unlikely) |
| Wiz Azure Alerts | 5 (Possible) | 4 (Unlikely) | True | False | 5 (Possible) | 5 (Possible) |
| Wiz GCP Alerts | 5 (Possible) | 4 (Unlikely) | True | False | 5 (Possible) | 5 (Possible) |
| Abnormal Threats Email Native Alerts | 5 (Possible) | 3 (Unlikely) | True | False | 1 (Very Unlikely) | 1 (Very Unlikely) |
| Orca GCP Generic Alerts | 5 (Possible) | 4 (Unlikely) | False | False | 1 (Very Unlikely) | 1 (Very Unlikely) |
| Suspicious Email Detected by PAN | 5 (Possible) | 4 (Unlikely) | False | False | 1 (Very Unlikely) | 1 (Very Unlikely) |
| Netskope Malware Alerts | 4 (Unlikely) | 4 (Unlikely) | True | True | 1 (Very Unlikely) | 5 (Possible) |
| Orca Generic Azure Alerts | 5 (Possible) | 4 (Unlikely) | False | False | 1 (Very Unlikely) | 1 (Very Unlikely) |
| Potential Spoofing of Employee's Email Display Name | 5 (Possible) | 4 (Unlikely) | True | False | 1 (Very Unlikely) | 1 (Very Unlikely) |
| Noname Security Native Issues | 4 (Unlikely) | 4 (Unlikely) | True | False | 1 (Very Unlikely) | 1 (Very Unlikely) |
| Symantec Endpoint Protection IDS Alerts | 5 (Possible) | 5 (Possible) | False | True | 1 (Very Unlikely) | 7 (Likely) |
| Check Point Smart Defense Alerts | 4 (Unlikely) | 3 (Unlikely) | False | False | 1 (Very Unlikely) | 1 (Very Unlikely) |
| FireEye EX Alerts | 5 (Possible) | 4 (Unlikely) | True | False | 3 (Unlikely) | 3 (Unlikely) |
| Suspicious URL Detected by PAN | 5 (Possible) | 3 (Unlikely) | False | False | 1 (Very Unlikely) | 1 (Very Unlikely) |
| Cyren Inbox Protection Incidents | 5 (Possible) | 4 (Unlikely) | True | False | 1 (Very Unlikely) | 1 (Very Unlikely) |
| Sysdig Secure Events | 5 (Possible) | 4 (Unlikely) | False | False | 1 (Very Unlikely) | 1 (Very Unlikely) |
Next steps
As these changes take effect they might impact the way alerts are generated on your system. For instance, if you’ve defined one of these detectors to generate an alert in the SOC queue only for confidence level ‘Possible’ or above, you might not see any alerts from this detector anymore, as its base confidence was lowered to ‘Unlikely’.
To handle these changes, you can re-adjust your alert generation settings.
FAQs
What will happen to my custom scoring rules?
The existing custom rules don’t need any modification. Triggering the rule will depend on the base confidence you configured in the rule. Nevertheless, since the detections' base confidence was calibrated for some of the detections, you might want to adjust the custom rules base confidence accordingly.
How to prepare?
No preparations are needed before the change. Yet, we strongly recommend that after the change has been deployed, we review the confidence thresholds of these types of alerts and adjust them according to your needs.
How will this affect my experience?
You’ll probably notice the following:
- Reduction in the number of displayed alerts generated by the connected security tools in the SOC Queue.
- Lower scoring distribution of some of these alerts.
- Reduction in the number of displayed Stories that include a single ‘Native Alert’ in them.
Integrations
Symantec DLP Logs
We now support a new data type for Symantec’s DLP schema. This integration includes:
- Transformation of the logs as they come from Symantec.
- Native Alerts over the DLP events.
Learn more here.
Armorblox
Armorblox is a cloud office security platform that uses AI to protect enterprise communications. The integration includes:
- Collection of the data using Armorbox API.
- Ingestion of the data for Incidents and Policies.
- Native alerts over the Incidents data type.
Learn more here.
Crowdstrike IDP
Crowdstrike IDP Falcon Identity Protection monitors network traffic to build user behavioral profiles to help identify unusual user behavior. This integration enriches our existing Crowdstrike offering.
Note that while these logs are part of Crowdstrike, they appear as a standalone product on the Hunters platform to avoid confusion in the setup process.
Learn more here.
Microsoft Exchange
We developed a new integration for the Microsoft Exchange Traffic Logs. The integration includes:
- Transformation of the logs in their csv format to data lake.
- Mapping of the logs to the Email Events unified schema.
Learn more here.
BIND DNS
A new integration for the BIND DNS events is now available.
The integration includes:
- Transformation of the logs in their raw TEXT format to the data lake.
- Mapping of the logs to the DNS unified schema.
Learn more here.
F5 VPN
F5 BIG-IP log files include essential diagnostic information about the events occurring on the BIG-IP system. Integrating F5 VPN into Hunters will allow ingestion of the data types into your data lake, and leveraging the data for various detection use cases.
Learn more here.
ThreatX Audit Logs
ThreatX WAF is a Cloud Native WAF product that delivers protection across apps and APIs. It separates the enterprise network from the Internet and blocks Web requests from outside that target the Customers' internal Web Servers.
Hunters supports the Integration of ThreatX to the data lake. Moreover, the data source is used in the Hunters Pipeline for detection and investigation related to HTTP requests to relevant appliances in the organization's network.
Learn more here.
Cloudflare
Cloudflare acts as an intermediary between a client and a server, using a reverse proxy to mirror and cache websites. By storing web content for delivery on the closest edge server, it is able to optimize loading times. That also allows it to modify content, such as images and rich text, for better performance
This data source is used in the Hunters Pipeline for detection and investigation regarding the logged activity in the organization's network.
Learn more here.
Apache
Apache2 is an open-source web server software that is used to serve web content on the internet. The logs generated by Apache2 contain information about the requests made to the web server, including the source IP address, the requested URL, the user-agent of the client, and other details. This data can be used for a variety of purposes, such as monitoring web traffic, troubleshooting issues, and analyzing user behavior.
Hunters supports the integration of Apache2 to the data lake. Moreover, the data source is used in the Hunters Pipeline for detection and investigation related to HTTP requests to relevant appliances in the organization's network.
Learn more here.
Detection
Azure Entra ID detection pack
Azure (along with Azure AD) is Microsoft’s cloud platform and the 2nd biggest cloud provider in the world. Azure contains a wide variety of cloud services and many organizations base their infrastructure on Azure, as well as Azure AD as an identity provider and also windows endpoints management, as it is a managed version of the classic Active Directory.
Threats to cloud platforms are diverse and are covered by MITRE’s cloud matrix: Matrix - Enterprise | MITRE ATT&CK® .
In an effort to provide better coverage of possible threats on Azure, Hunters’ Security Research team created new detection opportunities in order to cover the following threats:
- Credentials Access
- Privilege Escalation
- Discovery
- Exfiltration
As part of this long-term research project, the following two detectors were recently released.
Possible primary refresh token extraction
This new detector detects the execution of BrowserCore.exe from a binary that does not usually execute the binary. Threat actors may run BrowserCore.exe to extract Primary Refresh Tokens from Azure Entra ID Joined endpoints to gain access to the user's credentials.
Extraction and usage of a user’s PRT would allow an attacker to gain the user’s permissions to services within the Azure environment. The detector will allow the analyst to gain knowledge of the PRT extraction and the ability to block the user’s permissions and revert the action the attacker performed.
Relevant data sources: EDR + Azure (enrichment)
Azure Multiple VM Password Reset
Aims to detect the occurrence of multiple password reset activities against Local user accounts existing on different Azure virtual machines. Those password reset activities should be made by the same Azure user account (UPN), within a short period of time.
Password reset on multiple VMs, throughout a short period of time can be a good indicator of suspicious/malicious activity, in which an attacker uses it to gain a foothold on those VMs (lateral movement) and/or use it for persistence.
Threat actors can use the unwanted access and code execution against Azure VMs to laterally move throughout the Azure environment and to gain relatively stealthy persistence on Azure Virtual Machines.
This detector will provide the analyst an indication of relatively frequent password reset activities, allowing him to investigate the reason behind it. The information provided as part of this lead can be used as a good pivoting point (e.g. looking for activities conducted by managed identities related to the victim VM, to see if any suspicious activities have happened through them). All of the above will potentially allow earlier identification of malicious activities.
Relevant data sources: Azure Activity Logs
Ransomware Threat Hunting Pack
The ransomware threat hunting pack compiled a list of the most commonly used techniques by ransomware APT groups and their affiliates in recent months. This research was used to develop threat-hunting campaigns and hygiene dashboards and notebooks to help customers detect threat as well as identify and address gaps associated with ransomware groups across their enterprise and cloud systems.
As part of this pack, we recently released the new detector below.
Commonly Abused Binary Executed by OneNote Application
This detector aims to detect commonly abused binaries running under the OneNote process, as well as any suspicious executions of embedded OneNote attachments from the \Temp\OneNote\16.0\Exported\directory.
Threat actors utilize malicious OneNote Notebooks with embedded attachments as a means to execute code on target systems. The detector will catch malicious phishing attempts using OneNote, which is a new trend in the threat landscape.
It is recommended to investigate the target process command line and his child processes.
Relevant data sources: EDR