Product updates
Revamped Data Flows Page
We’ve redesigned the Data Flows page to give you greater visibility, control, and clarity over your data ingestion pipeline.
The updated view now displays enhanced details for each data flow, including integration type, data source, ingestion volume, last inserted timestamp, and a real-time activity graph. You can also filter by type, status, integration, and more with a streamlined and responsive UI.
This update helps you monitor data health at a glance, spot anomalies faster, and optimize your investigation workflows with ease.
Learn more about data flows here.
Lead Timeline
You can now access a comprehensive timeline of key events related to each lead by clicking the event timestamp.
The Lead Timeline window displays the full sequence—from the initial event and ingestion time to lead creation and auto-investigation activity. This panel also allows you to manually trigger Investigation On-Demand for deeper insight.
This enhancement provides greater visibility into lead progression, enabling more informed and efficient investigations.
Auto-Investigation On Demand
You can now manually trigger auto-investigations directly from a lead to enrich and refresh the lead attributes and entities with up-to-date data. Simply open the lead, click the event timestamp to open the Lead Timeline, then scroll to the Auto-Investigation section and click Run Again.
You can also initiate an auto-investigation on leads that were originally excluded from investigation because of their Low risk score.
Each lead allows up to 3 on-demand investigations, with a minimum 20-minute cooldown between runs.
This feature empowers analysts with greater control and flexibility to complete the investigative picture when needed.
Deep Links in AI Assistant
Hunters’ AI-powered Investigation Assistant now includes deep-linking to investigation steps, guiding you directly to the relevant section within the lead.
These contextual links streamline your workflow by taking you straight to the data that supports each step of the investigation.
This enhancement boosts investigation efficiency by reducing friction and helping analysts focus on what matters most—faster.
Upcoming Detection Limitation
To maintain system stability and prevent performance degradation, a daily cap of 5,000 third-party detections per day will be enforced starting May 4.
This safeguard is designed to protect the platform from excessive event volumes that could impact overall performance.
This change ensures consistent system reliability and responsiveness for all users.
Integrations
OpenCTI
OpenCTI (Open Cyber Threat Intelligence) logs provide detailed records of the platform’s operations, including data ingestion, threat intelligence processing, and system events. These logs help administrators monitor performance, troubleshoot issues, and ensure data integrity across connectors, enrichment modules, and integrations. By analyzing OpenCTI logs, users can maintain visibility into the flow of threat intelligence and identify any anomalies or operational errors.
The integration includes:
Ingestion of the data to the data lake
Mapping of the data to IOC Search
Mapping to relevant Hunters schemas
Learn more here
Microsoft O365 Exchange Message Trace Reports
Microsoft 365 Exchange Message Trace reports provide detailed insights into email message flow within your organization. They allow administrators to track messages as they pass through Exchange Online, including information about delivery status, routing, spam filtering actions, and timestamps. These reports help with troubleshooting mail flow issues, auditing communications, and ensuring policy compliance. Message trace data is available for up to 10 days (or 90 days in advanced traces) and can be accessed via the Microsoft 365 admin center, PowerShell, or Microsoft Graph API.
The integration includes:
Ingestion of the data to the data lake
Mapping of the data to IOC Search
Mapping to relevant Hunters schemas
Learn more here
Detection
New detectors
🔎 New RMM Tool Executed
Detector ID: edr_new_rmm_tool_execution
This detector identifies the execution of a previously unseen Remote Monitoring and Management (RMM) tool on an agent—an activity that may indicate initial access or persistence by a threat actor.
It flags new RMM executables on agents that don't commonly run them, while filtering out those that are widely used across the organization. This is achieved using a new entity, which evaluates binary usage over the past month for greater accuracy.
To reduce noise, the detector also applies a per-agent learning period, preventing alerts on newly onboarded agents where legitimate installations are more likely.
This detection enhances visibility into potentially malicious RMM tool usage while minimizing false positives through behavioral baselines and organizational context.
Improved detectors
🔎 Process Created on Remote Host via WMI
Detector ID: crowdstrike_wmicreateprocess_from_a_remote_host
As part of our ongoing content quality improvements, this detector has been enhanced to significantly reduce false positives.
Previously, it alerted on any remote WMI process creation, leading to high alert volumes. It now leverages a UEBA detect-changes template to trigger only on previously unseen command lines originating from anomalous IPs.
This update is expected to reduce alert volume by 97%, boosting signal quality and investigation focus.