Product updates
Additional information layer in Lead details
The Lead details page will now show more information on the involved entities in the Entities panel. This will allow you to gain a better understanding of the incident before diving into the attribute investigation. For Threat Clustering Beta users, this improvement will allow to understand the cluster while working on one of its leads.
The panel will show the following information:
| Type | What is it? | Relevant to | |
|---|---|---|---|
 |
Asset tags | If any of the assets involved in the lead have an asset tag assigned, it will be displayed here. | All users |
 |
Cluster Key tags | This tag will display the attribute that is the basis for including this lead in the cluster. It could be the malicious intent or the malicious actor involved. | Threat Clustering Beta users |
 |
Cluster context tags | This tag will highlight the differentiating factors of the lead, in comparison to other leads in the cluster. | Threat Clustering Beta users |
Enhancements to the IOC Search
Hunters' IOC Search tool was enhanced to include 8 new sources and 25 data types:
| Data Source | Data Type |
|---|---|
| Darktrace | darktrace-model-breaches |
| darktrace-ai-analyst | |
| darktrace-audit | |
| Pulsesecure | pulsesecure-access-logs |
| pulsesecure-events-logs | |
| pulsesecure-admin-logs | |
| Cisco Umbrella | cisco-umbrella-dns-logs |
| cisco-umbrella-proxy-logs | |
| cisco-umbrella-ip-logs | |
| Pan | pan-firewall-globalprotect |
| Microsoft Defender for Endpoint | mdatp-device-file-events |
| mdatp-device-network-events | |
| mdatp-device-process-events | |
| mdatp-device-events | |
| mdatp-device-logon-events | |
| mdatp-device-registry-events | |
| mdatp-device-image-load-events | |
| mdatp-device-alert-events | |
| AreaOne | areaone-alerts |
| areaone-indicators | |
| Proofpoint Tap | proofpoint-tap-clicks-permitted |
| proofpoint-tap-messages-delivered | |
| proofpoint-tap-messages-blocked | |
| proofpoint-tap-clicks-blocked | |
| PerceptionPoint | perceptionpoint-scans |
Integrations
Cyberhaven
Cyberhaven is a security data protection company. Cyberhaven Sentry collects events as data moves throughout your company and can take real-time action to protect your data from theft, misuse, and exposure. They do that by using three deployment modes that together give complete visibility and control over data - Cloud API connectors, endpoint agent, and a Browser extension.
Integrating Cyberhaven into Hunters will allow collecting and storing of the data, as well as triaging Cyberhaven's alerts in the Hunters portal.
Learn more here.
SailPoint
SailPoint IdentityNow is a modern SaaS-based Identity Security solution that provides a centralized way to see and control every user’s access to resources across hybrid IT environments while ensuring regulatory compliance. IdentityNow has built-in identity best practices that allow simplified administration without the need for specialized identity expertise.
IdentityNow enables organizations to store user data from across all their connected sources and manage the users' access, so the ability to query and filter that data is essential. It supports main use cases like:
- Lifecycle Management
- Compliance Management
- Password Management
Hunters will ingest these data types and run OOTB detections over it.
Learn more here.
VMWare ESXI
A VMWare ESXi component generates logs for various events occurring on the machine. The events are written to the local machine and can be extracted and collected to Hunters. Getting the logs into Hunters will allow us to search over the logs and leverage them for security activity.
Learn more here.
Microsoft Intune
Microsoft Intune is a cloud-based endpoint management solution. It manages user access and simplifies app and device management across devices, including mobile devices, desktop computers, and virtual endpoints.
Microsoft Intune devices are being integrated as assets tagging entities within Hunters pipeline and are being segmented based on their health state provided by Intune.
Learn more here.
Detection
Time series detectors (UEBA)
Time series detectors are used to detect anomalies and potential threats in network traffic or other types of data over time. These detectors are based on the idea that abnormal behavior can be identified by analyzing patterns in time series data.
Hunters provides a growing list of time series detectors based on UEBA, starting with the SaaS Application Brute Force Attempt detector. The SaaS Application Brute Force Attempt detector is designed to establish a baseline for regular login attempt behavior using two time-sensitive checks, allowing the system to detect anomalies when they happen.
Learn more here.
Impossible travel detection
Hunters’ Impossible Travel detector detects anomalous consecutive SaaS logins from two different IP addresses by the same user, with the required traveling speed between them being impossible in the observed time frame. Impossible travel may indicate the logins were not made by the same person, therefore may indicate the user was compromised by a malicious actor.
Upon initiation, the detector establishes a benchmark of ‘approved’ geo-locations used regularly by each user. Once a new and suspicious login location is detected, the system will examine whether it is a possible or an impossible travel from the user’s latest login location.
This detector will replace the existing Impossible Travel Okta detector, which will be deprecated on June 7th. Please make sure to complete any adjustment needed (alerting threshold, ignore rules or custom scoring) by then.
Execution of Rclone Tool Characteristics
Rclone is a versatile tool designed to synchronize files between machines and cloud storage services like Google Drive, Dropbox, Amazon S3, and MEGA. It is a powerful open-source command-line program with multi-threading capabilities that enable users to manage and migrate their cloud content easily. The tool has been associated with ransomware campaigns of Ransomware-as-a-Service operations. Threat actors are using Rclone to facilitate the exfiltration of sensitive data from a compromised network.
This new detector works by detecting Rclone tool characteristics and identifying the binary and command line flags associated with the tool.