April 2023

  • Updated on May 29, 2024
  • Published on Jul 20, 2023
Prev Next

Read about everything that's new on Hunters.

Product updates

GPT-assisted investigations

This new feature (currently in closed Beta) allows users to ask GPT about command lines appearing in our Auto-Investigation drawer for Leads generated by the Hunters platform for EDR-related data.

This will provide security analysts with the ability to better understand command lines and help determine whether the lead they are investigating is benign or malicious.

This new feature is powered by Microsoft Azure OpenAI service, so any data prompts are only made available to Microsoft Azure (to prevent abusive or harmful use of the service). None of the prompts are used to train the underlying GPT model, which means that your command lines investigated by this new service will remain secure by Microsoft’s robust enterprise-level data protection safeguards and will not be shared with OpenAI or others.

image

Search for leads on an absolute date

Improve SOC Queue usability by filtering for absolute date and time range. By selecting a specific date and time range, you can deep-dive into Leads and Stories effectively.

In addition to filtering, you can now also share the Leads and Stories by copy-pasting the relevant URL that contains the date and time range. Once shared, clicking on the URL will open the Hunters portal with the exact date and time range.

image

Integrations

1Password Audit Events

A new type of logs from 1Passowrd logs is now supported by Hunters - Audit Events. These logs return audit events from the Activity Log of your 1Password Business account. Audit event data includes actions performed by team members in a 1Password account, such as changes made to the account, vaults, groups, users, and more. More information on the event types can be found here.

Learn more here.

Cisco Firewall Impact Flag Logs

Hunters now supports a new type of logs from Cisco - Cisco Firewall Impact Flag logs. This integration native alerts arriving from Cisco and a new model that maps each alert to MITRE.

Learn more here.

Detection

Azure Activity authentication and action IP mismatch

Azure Activity logs Azure events performed by users, but also holds the data from the JWT used for the event. The JWT contains data on the user such as roles, groups, and permissions but also the IP address that the token was requested from. A mismatch between the IP addresses of the action itself and the IP address the token was requested from, might indicate an access token was stolen from a user’s endpoint and used from a different location.

This detector detects a mismatch between the IP used to request the access token and the IP used to perform the action. Threat actors usually use stolen access tokens from their environment and this behavior can indicate a stolen access token used from the actors' environment. It is recommended to check whether the IP address is used from an unusual geo-location for the organization, and the impact the action may have on the organization’s infrastructure.

Relevant data sources: Azure Activity