July 2023 (4)

  • Updated on Jan 24, 2025
  • Published on Jul 30, 2023
Prev Next

Product updates

Increased API request limitations

We have recently updated the limits of API calls per 5 minutes for EU clients from 300 to 700 due to increased demand. Once the limit is reached, requests will be blocked until the 5-minute interval has elapsed.

Learn more:

Integrations

New for AWS

image

AWS S3 Server Access Logs

A new type of AWS logs can now be onboarded on Hunters: AWS S3 Server Access Logs. AWS S3 Server Access Logs record access requests to a specific bucket and store the logs in another designated S3 bucket.

The new integration includes:

  • Transformation for the AWS S3 Server Access Logs.
  • Mapping the logs to the web requests unified schema.
  • The logs contain actions on S3 related resources.

Learn more here.

AWS S3 Client VPN Connection Logs

AWS S3 Client VPN Connection Logs consist mainly of the list of the incoming and outgoing VPN server connections. These logs are now supported by Hunters and can be onboarded to the platform.

The new integration includes:

  • Transformation for the AWS Client VPN Connection Logs.
  • Mapping the logs to the web requests unified schema and also to the unified login unified schema.
Note

AWS offers Site-to-Site logs which are not part of the Connection Logs.

Learn more here.

AWS EKS Control Plane logs

More from AWS, Hunters now supports AWS EKS Control Plane logs. Control Plane Logs provide insights into the activities and operations of the Control Plane of Kubernetes, which comprises the API Server, Scheduler, Controller Manager, etc. This is mostly about what Kubernetes itself is doing to manage your workload. These logs record events like scheduling decisions, control loops activity, system jobs, and API server requests. They are essential to understand the working and health of the Kubernetes system itself.

This is one of the biggest integrations we’ve completed so far, mainly because of the various log types under the same product. Moreover, this integration serves as a stepping stone for any future content and detections to be implemented in the realm of K8S.

Note: At the current phase of this integration we do not have any running content on these logs (third party detection, unified schemas or detectors, IOC Search)

The new integration includes 6 different transformations for distinct Data Types (which are described here) and are ingested to Snowflake.

Learn more here.

Infoblox Audit & DHCP

A new type of logs fron Infoblox is now supported: Audit logs.The audit log contains a record of all TOE administrative activities. The new integration includes:

  • Transformation for Infoblox NIOS DHCP
  • Transformation for Infoblox Audit
  • Mapping Infoblox Audit to the Login unified schema

Learn more here.

VMware AirWatch Workspace One UEM

Hunters now supports a new type of VMWare logs - VMWare Airwatch Workspace One Logs. These are Linux system logs generated by VMWare Airwatch Workspace One and the integration includes the following:

  • Transformation and Ingestion of the data from an S3 bucket to Snowflake for the data type vmware-airwatch-workspace-one-logs
  • Mapping of the data type to the Unified Login Schema.

Learn more here.

Bricata NDR

Bricata NDR is a Network Threat Detection and Response platform. Bricata's Network Detection and Response (NDR) product is a cybersecurity solution that combines machine learning, full-spectrum threat detection, and automated response capabilities to identify, analyze, and counter network-based threats in real-time.

The new integration includes:

  • Handling suffix pattern
  • Transformation of the Bricata NDR Logs
  • Third party detection over the logs

Learn more here.

Crowdstrike Mobile

Hunters now supports Mobile Alerts from Crowdstrike. Crowdstrike Mobile Alerts monitor and record activities taking place on Android and iOS, providing the visibility necessary to detect attackers, malicious insider activity, and corporate data leakage.

The integrations includes:

  • Puller collection
  • Transformation of logs
  • Third party detection

Learn more here.

Ironscales Incidents

IRONSCALES is an integrated cloud email security (ICES) platform that provides businesses with a complete phishing protection software solution for enterprise email security. The IRONSCALESâ„¢ cloud-native, API-based email security platform is continuously learning, detecting, and remediating advanced threats at the mailbox level, before and after email delivery.

The integration includes:

  • A puller for the incidents endpoint
  • Transformation of the data to Snowflake
  • Third party detection written over the new data

Learn more here.

Malwarebytes Nebula

Malwarebytes is an anti-malware software for Microsoft Windows, macOS, ChromeOS, Android, and iOS that finds and removes malware. Integrating Malwarebytes Nebula into Hunters allows the collection and ingestion of key data types into the data lake. Furthermore, alerts will be created over the logs, auto-investigated and correlated to other related signals.

The integration includes the following data types:

  • Malwarebytes Nebula Events - Endpoint detections that Nebula generates.
  • Malwarebytes Nebula Detections - Events on the Nebula console.

The new integration includes:

  • A puller for the Detections and Events endpoints
  • Transformations for both data types to Snowflake.
  • Third party detection written over the Detections data.

We also authored a new Investigation Group for Third party detection that will allow, in some cases, to avoid creation of new IGs for NAs.

Learn more here.

Detection

New detectors

Suspected Kerberoasting - Excessive Weakly Encrypted TGS Requests

When operating a Kerberoasting attack, attackers usually request an excessive amount of TGS with weak encryption in order to increase the chances of successful ticket cracking. The suspected Kerberoasting detector detects excessive weakly encrypted (RC4 or DES) TGS requests of different services by the same user. This is a Time Series Anomaly detector that is specifically designed to identify anomalies in behavior over time. The detector compares current behavior with past behavior during a corresponding time period: the same weekday and 8 hours period in the previous 10 weeks, as well as with behavior in the past 80 hours. To make the detection even more accurate, we increase the confidence score of a lead if the requested service was issued with a stronger encryption type before, the service wasn’t requested before at all or if the amount of different services are exceptionally high. Each one of these use cases has high probability of being a malicious Kerberoasting attack.

Deprecated detectors

We’ve recently deprecated the below detectors as they were not meeting our SNR standards and were producing too many false-positives:

  • Office Application Loads WMI Module
  • Failed MFA Challenge without Successful Followup
  • Login Attempt to a Locked Okta Account - This detector was replaced by the more complete and sophisticated detector: SaaS Application Brute Force Attempt. The original detector resulted in too much redundant noise since trying to log into a locked Okta account is quite a common behavior. The new detector will alert only on anomalous behavior which will prevent false positives and will also detect brute force attempts on many other data types as it’s based on a generic detection logic.

Modified detectors

We’ve recently improved the detection logic of the Discovery Behavior in AWS Control Plane to time series template detector. This detector detects AWS actors performing a large amount of AWS API calls that can be used for Cloud Discovery in a short period of time. Threat actors that gain initial access to a target's AWS environment will most likely begin their activity with Cloud Discovery, as without knowledge of what resources exist in the target's environment the adversary cannot achieve his goals.

Using Time Series Anomaly calculation, we can now identify anomalies in behavior over time and avoid generating leads for services that use AWS API calls all the time without explicitly whitelisting them (visibility security products like Axonius for example). The detector compares current behavior with past behavior during a corresponding time period: the same weekday and 4 hours period in the previous 10 weeks, as well as with behavior in the past 80 hours.