Release Notes - December 2025 - #2

New
  • Updated on Dec 31, 2025
  • Published on May 16, 2024
Prev Next

Product

Pathfinder AI - Open Beta

Starting January 7, 2026, Pathfinder AI will move to Open Beta and will automatically run on all relevant alerts to deliver fast, explainable AI-driven investigations directly within the Hunters platform. Pathfinder combines LLM reasoning (currently powered by Microsoft Azure OpenAI Service), security-specific knowledge, and dynamic enrichment to accelerate triage, improve consistency, and provide auditable conclusions across Hunters detectors and select third-party alerts (including CrowdStrike, Microsoft Azure, and Microsoft 365 Endpoint).

Pathfinder does not remediate or take automated actions, and customer data is not used to train AI models. Customers who prefer to disable automatic execution or would like to disable Pathfinder AI completely (including blocking on-demand investigations) can submit a request by opening a Support ticket before January 6, 2026. The Open Beta is time-limited; following the beta period, Pathfinder will be available as part of an add-on package.


Note for Partner Connect customers: Automatic investigation using Pathfinder AI will be disabled by default, and only the on-demand option will be available
If your team prefers Pathfinder AI to run automatically on all the relevant alert pipelines, please reach out to us (by opening a Support ticket), and we will be happy to enable automatic execution for your environment.

General note: Given the current state of generative AI, Pathfinder AI can boost productivity but may sometimes produce incorrect/inaccurate output. Always verify its responses before relying on them. Use of this service is at your own risk and subject to Microsoft Terms, your applicable Hunters license terms and Hunters Documentation.

IOC Search

IOCs Search supports using IPv6 addresses.

Security Content

AXON Threat Hunting Report

cURL requests made to LLM-associated domains

Team AXON has observed multiple cases where adversaries have leveraged command-line HTTP clients, such as cURL, to interact with LLM associated domains under the appearance of legitimate automation or developer activity. In these incidents, attackers issued direct HTTP requests to LLM platforms rather than accessing them through interactive web interfaces or approved client applications.


One technique observed across multiple investigations involves the use of automated cURL-based interactions as a pseudo command-and-control mechanism, where adversaries submit prompts or contextual data to an LLM and process the responses programmatically. By avoiding browser-based access patterns, this approach can bypass user-centric monitoring and blend into otherwise legitimate API traffic.


More details and findings (if they exist) can be found on the Hunters platform under “Axon Reports”. 


Detectors

CrowdStrike Falcon 3rd party XDR detections - Alerts API

3rd party CrowdStrike XDR alerts, taken from the new alerts API endpoint.

Note: Custom XDR Alerts may sometimes contain insufficient information, but are kept in the detector. Those can be explored using the CrowdStrike console link in the alert.

Enrichments

Service Operations


Displays service operations made on the given agent ID in the 24 hours prior to the lead start time. This will result in greater context and assist in uncovering any potential malicious service activity. 




Integrations


Crowdstrike Incidents - Deprecation

Crowdstrike has announced that “Incident logs” will be retired soon and no longer be available starting March 9, 2026. To avoid inconveniences, connect CrowdStrike Alerts (crowdstrike_alerts) - use our docs in order to onboard.

Microsoft Message Trace - Deprecation & Required Update

Microsoft has announced that the legacy Message Trace tools and APIs, commonly used to export email-delivery logs from Exchange Online, will be retired soon.

The API endpoints will be turned off on March 18, 2026.

Microsoft is also planning a new Graph API endpoint for Message Trace, expected to enter public preview in late 2025. Which we already support - https://docs.hunters.ai/docs/microsoft-graph, and will update once Microsoft releases their update.

What this means for you

To ensure continued ingestion of your Microsoft email logs, you will need to migrate to Microsoft’s Graph API endpoint.

How Hunters can help

Our team is monitoring Microsoft’s rollout closely and will update our customers on any changes expected.

Please reach out to us with any questions or doubts.

New Integrations Releases:

  1. Checkpoint EDR  - S3 integration

  2. KnowBe4 PhishER  - Webhook and S3 integrations

  3. Netskope Network Events  - API integration

  4. Cerberus  - S3 integration

  5. Windows DNS channel logs  - S3 integration

  6. Windows DNS debug logs  - S3 integration

  7. GCP-V2 SCC Assets  -  API integration

  8. GCP-V2 SCC Findings  -  API integration

  9. Pan firewall Users  -  API integration

  10. BeyondTrust PW safe On-Prem  -  S3 integration migration