Read about everything that's new on Hunters.
Product updates
More flexibility when defining custom detectors
In addition to the library of detectors provided out-of-the-box, Hunters allows users to create their own Custom Detectors, which run continuously over your raw data as part of the Hunters Detection Engine.
With this release, we’ve added additional operators to be used as part of the custom detection logic definition. This new capability allows you to create additional custom detectors, with more advanced logic than previously possible. This can help your team improve your detection capabilities, and increase the overall threat coverage of your organization.
Following the addition of the new operators, some existing LIKE/EQUALS operators were automatically migrated to be case insensitive. This was validated to not affect existing functionality. If you’d like to receive a full list of these detectors to review, please contact Hunters Support.
Read more about it here.
Integrations
Watchguard Firebox
Hunters now supports onboarding Watchguard Firebox Logs. Watchguard allows you to see all the traffic through your network and monitor network activity to make sure that your network is secure. Integrating Watchguard into Hunters will allow ingestion of the data types into your data lake, and leveraging the data for various detection use cases.
These logs can be onboarded using an AWS S3 bucket as an intermediary. Click [here]Connect data through AWS S3 to learn how.
Learn more here.
Area 1
Cloudflare Area 1 comprehensively defends against sophisticated threats by stopping phish at the earliest stages of the attack cycle. Hunters allows onboarding Area 1 email alerts.
Integrating Area 1 into Hunters allows the collection and ingestion of key data types into the data lake. Furthermore, alerts will be created over the logs, auto-investigated, and correlated to other related signals.
These logs are onboarded using API. Click here to learn how.
Learn more here.
Zscaler ZIA Firewall
A new type of logs from Zscaler is now supported by Hunters - Zscaler ZIA Firewall. These logs specify the data from the Firewall logs that the NSS sends to the SIEM.
To send Zscaler logs to Hunters, you need an on-premise log shipping infrastructure such as Fluentd or Logstash, which will receive the logs from an on-premise NSS server via syslog and output these logs to S3.
Learn more here.
Cisco ESA
The Cisco Email Security Appliance is designed to detect and block a wide variety of email-borne threats. Integrating Cisco ESA into Hunters allows the collection and ingestion of key data types into the data lake. Furthermore, email raw data will be used to auto-investigate and correlate related alerts.
Hunters supports onboarding Cisco ESA Consolidated Event Logs which summarize each message event in a single log line. The logs are in the Common Event Format (CEF) log message format.
These logs can be onboarded using an AWS S3 bucket as an intermediary. Click here to learn how.
Learn more here.
Teleport
Teleport is an open-source tool for providing zero-trust access to servers and cloud applications using SSH, Kubernetes, and HTTPS. Hunters supports the ingestion of Teleport Audit Events Logs - all audit events that pass through Teleport Cloud.
To send these logs to Hunters, you need an on-premise log shipping infrastructure such as Fluentd or Logstash, which will receive the logs from an on-premise server and output these logs to S3.
Learn more here.
Slack
Hunters now supports 3 types of logs from Slack:
- Slack Audit Logs - logs of the audit events happening in an Enterprise Grid organization for compliance, safeguarding against any inappropriate system access, and allowing you to audit suspicious behavior within your enterprise. More details can be found here.
- Slack Users - a list of all users in the workspace, including deleted/deactivated users. More details can be found here.
- Slack Files - a list of files within the team. More details can be found here.
Learn more here.
Cyera
Cyera Automatically discovers and classifies your data, protects it from exposure, and allows you to maintain a resilient posture. Data from Cyera is collected and ingested by Hunters, and can be used for triaging and investigation.
Hunters supports the following logs from Cyera:
- Cyera Issues - Issues created by Cyera on the monitored assets.
- Cyera Datastores - a snapshot of all datastores seen by Cyera.
Learn more here.
Detection
Addition of new credentials to a service principal on Azure Active Directory
A common way of escalating privileges is gaining access to an app admin and using the app’s service principal’s permissons. To achieve this, an attacker can add new credentials to the service principal, log in using the new credentials, and exploit the service principal’s current credentials. Service principals can have a vast number of permissions, depending on the app, and the scope of these permissions can sometimes be the entire organization.
This detector looks for events where a user (or service principal) adds new credentials to service principals. It is recommended to look at the service principal’s activity after the event and asses the permissions level the service principal has.
The detector is part of our Azure content pack and will add to the coverage of our Azure content offering.
Relevant data sources: Azure Audit