May 2023

  • Updated on May 29, 2024
  • Published on Jul 24, 2023
Prev Next

Product updates

New Look to the Lead Details Section

The Lead Details section got a new look!

  • The lead header now includes the risk level and a description of the lead in the title. Below, we have the detector name and data source information including the product/vendor icon and the data flow name.
    image

  • We moved up the Entities section to allow you to get a quick understanding of the scope of the lead and the affected entities. We also added to each entity its role, to better explain the attack flow.
    image

  • We moved up the Risk Level section to allow leveraging Hunters' automatic investigation and scoring as part of the initial triage and understanding the priority of the lead.
    image

Improvements to Comments in the SOC Queue

All users can now add comments to leads in bulk. Simply select the relevant leads, and click Comment from the options bar. This bar allows you to add a text comment, format it and add attachments.

image

👍 Coming soon: Bi-Directional Comments on Threat Clusters (Beta)

Threat Clustering Beta users can now add bi-directional comments. Meaning, comments added to a clustered lead will also be reflected on the cluster level and vice versa.

Axon Library

We've added a new section to our documentation site - Axon Library. This is an 'under the hood' section in which we will periodically publish reports and threat-hunting analysis docs, produced by Team Axon, that will equip you with knowledge about attack techniques researched by the team, such as investigation guidance, threat-hunting queries, mitigations, and more.

Integrations

CrowdStrike Spotlight

In addition to our existing CrowdStrike support, Hunters now supports onboarding CrowdStrike Spotlight logs. Spotlight offers security teams a real-time assessment of vulnerability exposure on their endpoints that is always current, by natively integrating industry-leading threat intelligence, and letting security and VM teams deeply understand common vulnerabilities and exposures (CVEs).

Learn more here.

CrowdStrike Incidents

Another addition to our existing CrowdStrike support, you can now onboard CrowdStrike Incident logs.

Learn more here.

Semperis DSP

Hunters now supports the integration of logs from Semperis. Semperis DSP is a solution designed to improve the security of Active Directory environments. It offers various features to detect, prevent, and recover from Active Directory-based attacks such as insider threats, ransomware, and advanced persistent threats (APTs).

Semperis DSP provides a wide range of logs related to Active Directory activity, including changes to AD objects, user authentication, access control, group policy, security features, and compliance.

Learn more here.

Aviatrix

Aviatrix is a next-generation, multi-cloud networking and security platform that simplifies the management, visibility, and control of cloud networks. As a cloud-native solution, it fits into the category of Software-Defined Networking (SDN) in the cybersecurity landscape. Hunters now supports ingestion of Aviatrix System Logs (syslogs) and Aviatrix Auth Logs (auth.log).

Learn more here.

Detection

Ransomware Detection Pack

As part of our efforts to expand the scope of our Ransomware detection pack, we've added these new detectors:

Plain Text Password Discovery

Storing passwords in plain-text files poses a severe cybersecurity threat as they are easily accessible and exploitable by malicious actors and red teamers since they are not encrypted. A user can gain unauthorized access to systems and elevate their privileges by accessing unencrypted passwords. It is therefore critical to identify and prevent access to plain-text password files.

This new detector looks for access to multiple plain text password files by a single user over a short period of time. This behavior can indicate a threat actor who is looking for stored password files within the network.

Data sources: EDR RAW logs

Suspected Data Exfiltration Using Rclone

Rclone is a versatile open-source command-line tool designed for syncing files between machines and cloud storage services such as Google Drive, Dropbox, Amazon S3, and MEGA. Its multi-threading capabilities make it a powerful tool for managing and migrating cloud content. However, Rclone has also been associated with Ransomware-as-a-Service operations, where threat actors use it to facilitate the exfiltration of sensitive data from compromised networks.

This new detector looks for potentially unauthorized exfiltration of sensitive data from a compromised network by identifying outbound HTTP/s traffic of more than 10 MBs over a 1-hour interval, associated with the Rclone tool, through analysis of the user agent's characteristics.

Data sources: Proxy data