July 2023 (1)

  • Updated on May 29, 2024
  • Published on Jul 24, 2023
Prev Next

Databricks Partner Connect - an easier way to connect your Databricks to Hunters

As part of Hunters’ support of Databricks as a security data lake, you can now spare the hassle and time of setting up Databricks manually and use the quicker Partner Connect method.

The Partner Connect option is available through your Databricks Partner Connect Store and requires only a few clicks. It has all of the setup options already in place to avoid any mistakes in the provisioning process.

image

Learn more about connecting Databricks to Hunters.

Quicker lead actions

Previously, after triaging and investigating a lead, you had to close the lead panel to assign the lead to your colleagues, change its status or classify its maliciousness. Now, you can do all of these from the lead panel itself.

image

Additionally, you can now easily assign a lead to yourself or clear the selected assignee using 2 new quick assigning actions.

image

Detector source indication

image

Hunters supports detectors from 3 sources:

  • 3rd party - detectors arriving directly from your connected data sources.
  • Hunters - OOTB detectors researched and built by Hunters.
  • Custom - detectors you build on your own on the Hunters platform.

While previously it was difficult to ascertain the source of each detector, from now on, the Leads page will show a detector source indication allowing you to understand the source of the detector quickly and easily.

Thinkst Canary

Thinkst Canary is an agent installed on network appliances that monitors them and attempts to discover incidents.

Integrating Thinkst Canary into Hunters allows the collection and ingestion of key data types into the data lake. Furthermore, alerts will be created over the logs, auto-investigated, and correlated to other related signals.

Learn more here

Kiteworks

Kiteworks is a secure file-sharing and collaboration platform that provides a variety of security features, including advanced threat protection (ATP), data loss prevention (DLP), encryption, and access control. Kiteworks can be integrated into Hunters SOC platform to provide a comprehensive security solution for organizations.

Learn more here

Salesforce

We recently completed an integration with Salesforce, including the collection of the logs via the Salesforce API, and the transformation of the logs to a new schema - Salesforce Event Logs, containing 60 different event types from the Salesforce console.

Learn more here

Wazuh

Wazuh is a security platform that protects workloads across on-premises, virtualized, containerized, and cloud-based environments.
The integration includes data transformation and native alerts.

Learn more here

STIX-TAXII

Glad to announce that STIX-TAXII Connector integration is now available. TAXII, combined with STIX, is the CTI (cyber threat intelligence) industry standard for the representation and communication of cyber threat intelligence information. Many products that expose a TAXII server for delivering STIX data can now be connected to Hunters.

This new integration easily connects to any server of any product available.

Learn more here

Updates to existing integrations

  • VMWare - we now support the ingestion of VMWare Airwatch Workspace One logs using an intermediary S3 bucket.
  • Infoblox - we’ve added support in 2 new data types from Infoblox: Infoblox NIOS DHCP and Infoblox Audit.
  • Symantec - you can now connect Symantec Cloud Secure Web Gateway Logs.

Okta MFA fatigue attempt

This detector aims to catch attackers that attempt to fatigue users with a large number of MFA requests, getting a “Yes, this was me” even though the user was not the one initiating the login process.

This is another Time Series detector, calculating the number of push requests sent to a user in a 1-hour interval. Once the number is anomalous to the user, as well as crossing a minimum number of push events (so that 1 push event will not trigger a lead), a lead will be created while also containing information on the IP addresses and the user agents used.

Learn more here

Reducing false positives

We’ve recently started several projects aimed at lowering the number of false positive leads generated by the system. One vertical of this effort, which is now completed, is to leverage the organizational IP rollup to filter out IP addresses that were seen from at least one EDR agent during the past 60 days.
Furthermore, we added several filters to remove service accounts, based on asset-tagging as well as snippet rules for specific cases.

Google Workspace delegation configuration created on GCP service account

A new detector that identifies when a DWD config has been created on a GCP Service Account identity object. This detector is designed to monitor the Domain-Wide Delegation feature in GWS, which allows GWS applications or GCP service accounts to function on behalf of users and access data throughout the GCP and Workspace ecosystem. This feature is vital for applications that need to engage with Google APIs or any service that necessitates user impersonation.