Note
This article was originally published on November 14, 2024.
Hunters’ Security Research team is improving several detectors' detection processors. This should improve reliability and reduce false positives, as these detectors now look for EDR activity for both external and internal IPs.
Scope and timeline
These changes will be rolled out gradually, following the below timeline and detection scope:
Batch 1
Completed on September 27, 2024
.png?sv=2022-11-02&spr=https&st=2025-05-11T05%3A26%3A30Z&se=2025-05-11T05%3A37%3A30Z&sr=c&sp=r&sig=s71IKqKkoOL3mtVGqx6A%2FZTRRM6wkwcKTp9Aya3nZNQ%3D){kind=small}
Successful AWS console login from host without an EDR agent aws_console_login_from_machine_without_edr
Batch 2
Planned for November 18, 2024
Successful Azure CLI sign-in from machine without EDR agentazure_cli_signin_from_machine_without_edr
Successful Azure portal sign-in from machine without EDR agentazure_portal_signin_from_machine_without_edr
Azure AD successful login using legacy protocols azure_suspicious_legacy_protocol_signin
Batch 3
Planned for November 19, 2024
Successful Duo authentication from host without an EDR agentduo_authentication_from_computer_without_edr
G Suite successful authorization of token to GCP related interface without EDR agent
gsuite_authorization_of_token_to_gcp_interface_without_edr
Successful G Suite login from computer without EDR agentgsuite_login_from_computer_without_edr
Batch 4
Planned for November 20, 2024
Okta successful administrative access from host without an EDR agentokta_logs_admin_access_from_computer_without_edr
Okta successful login from host without an EDR agentokta_logs_login_from_computer_without_edr
Improvements
As part of this process, the team will make the following improvements to the above-mentioned detectors:
Noise reduction
We increased the time window the detector looks back for EDR events in the logs from the login IP. The time window increased up to 2 days.
Reliability
We are migrating the processor to a new execution engine that is designed to handle large amounts of data better. This should improve the reliability of the processor when we get spikes in the volume of records.
Our new engine is better suited for high volumes of data processing thus the performance will also be improved.
Expected changes
As a result of the upgrade, the following will occur:
The number of leads might change
Processor descriptions will be updated to align with the change
Duplicate leads might appear on the last day
The following will not be affected:
The processor name will not change; thus, all custom rules will not be affected
Lead clustering will not change