Release Notes - January 2026

New
  • Updated on Feb 1, 2026
  • Published on May 16, 2024
Prev Next

Product

Pathfinder AI - Open Beta

Pathfinder AI moved to Open Beta and will automatically run on all relevant alerts to deliver fast, explainable AI-driven investigations directly within the Hunters platform. Pathfinder combines LLM reasoning (currently powered by Microsoft Azure OpenAI Service), security-specific knowledge, and dynamic enrichment to accelerate triage, improve consistency, and provide auditable conclusions across Hunters detectors and select third-party alerts (including CrowdStrike, Microsoft Azure, and Microsoft 365 Endpoint).

Pathfinder does not remediate or take automated actions, and customer data is not used to train AI models.


Note for Partner Connect customers: Automatic investigation using Pathfinder AI will be disabled by default, and only the on-demand option will be available
If your team prefers Pathfinder AI to run automatically on all the relevant alert pipelines, please reach out to us (by opening a Support ticket), and we will be happy to enable automatic execution for your environment.

General note: Given the current state of generative AI, Pathfinder AI can boost productivity but may sometimes produce incorrect/inaccurate output. Always verify its responses before relying on them. Use of this service is at your own risk and subject to Hunters' SaaS Terms of Service and AI Acceptable Use Policy.


Security Content

AXON Threat Hunting Report

AWS S3 Cross-Account Replication to Externally Owned Buckets

Amazon S3 replication is an AWS feature that enables automatic, continuous copying of objects from a source bucket to a destination bucket. It is commonly used for disaster recovery, backup, and cross-region data availability. Replication is configured at the bucket level and operates transparently once enabled, allowing objects to be replicated without additional user interaction.

However, when S3 replication is configured to replicate data to buckets owned by externally controlled AWS accounts, it can introduce a persistent data transfer path outside the organization’s control. If such a configuration is created maliciously or as a result of credential compromise, it may enable continuous and large-scale data exfiltration.


This hunting thesis examines S3 replication configurations in which an external AWS account owns the destination bucket.

More details and findings (if they exist) can be found on the Hunters platform under “Axon Reports”.

Following this threat hunting campaign, a new detector has been released to detect such scenarios. See more details in the “Detectors” section below. 

Visibility Dashboards

A new visibility dashboard, “Domain Controller Reporting Status”, is now available on the Hunters platform under “Data -> Visibility".

This dashboard provides visibility into the health and log reporting status of Domain Controllers by tracking their Windows Event Log activity.

Detectors

Possible exfiltration of secrets from AWS Secrets Manager using BatchGetSecretValue API

This new detector detects AWS secret exfiltration attempts requesting multiple secrets with one API call.

It looks for the first time a specific user identity has retrieved a secret value from Secrets Manager using the BatchGetSecretValue action.

In contrast to the normal GetSecretValue API, this API call allows the caller to get multiple secrets at once. Adverseries can use this to evade normal secret exfiltration detection which relies on detecting multiple calls to the secrets API.




S3 Bucket Replication to External AWS Account

This new detector detects S3 replication configurations that establish cross-account replication to external AWS accounts not owned by the organization, which may indicate an attempt at data exfiltration.

Amazon S3 replication is an AWS feature that enables automatic, continuous copying of objects from a source bucket to a destination bucket. Replication is configured at the bucket level and operates transparently once enabled, allowing objects to be replicated without additional user interaction.

When S3 replication is configured to replicate data to buckets owned by externally controlled AWS accounts, it can introduce a persistent data transfer path outside the organization’s control.

This new detector identifies AWS S3 PutBucketReplication events where one or more replication rules are configured to replicate objects to a destination bucket owned by an external AWS account that is not associated with the organization.


Enrichments

AWS S3 Bucket Activity


Given an S3 bucket name, this new enrichment shows recent activity related to the bucket (ideally from the last 12 hours), including both object-level access and configuration changes such as CopyObject, GetObject, and PutBucketAcl

It shows the user identity ARN that performed each operation, the type of operation and how many times it was executed, along with the source IP address, user agent, and the event category (CloudTrail data events vs. management events). 

It is worth noting that while management events are enabled by default in AWS CloudTrail, data events (object-level operations) are not enabled by default and must be explicitly configured in order to gain full visibility into in-bucket activity.


Post Replication Activity


This new enrichment identifies S3 objects that were replicated to an external bucket after replication was configured, focusing on activity in the 12 hours following alert generation. 

Please note that this enrichment relies on S3 data events (GetObject), which are not enabled by default in AWS CloudTrail. If data events are not configured for the source bucket, object-level replication activity may not be recorded, and this enrichment may not return results even if replication occurred.

S3 Replication User Statistics


This new enrichment retrieves data on S3 replication configurations performed by the user ARN within the last three months.

Integrations

Crowdstrike Incidents - Deprecation

Crowdstrike has announced that “Incident logs” will be retired soon and no longer be available starting March 9, 2026. To avoid inconveniences, connect CrowdStrike Alerts (crowdstrike_alerts) - use our docs in order to onboard.

Microsoft Message Trace - Deprecation & Required Update

Microsoft has announced that the legacy Message Trace tools and APIs, commonly used to export email-delivery logs from Exchange Online, will be retired soon.

The API endpoints will be turned off on March 18, 2026.

Microsoft is also planning a new Graph API endpoint for Message Trace, expected to enter public preview in late 2025. Which we already support, and will update once Microsoft releases their update.

What this means for you

To ensure continued ingestion of your Microsoft email logs, you will need to migrate to Microsoft’s Graph API endpoint.

How Hunters can help

Our team is monitoring Microsoft’s rollout closely and will update our customers on any changes expected. 

Please reach out to us with any questions or doubts.

New Integrations Releases:

  1. Netskope Borderless SD-WAN Logs -   S3 integration

  2. Wazuh Firewall and Server Logs (3 data types)  - S3 integration

  3. Prolion - CryptoSpike Logs  - S3 integration

  4. VMware vCenter Logs - S3 integration

  5. Github Enterprise audit logs - S3 integration and API

  6. Forcepoint Firewall Logs - S3 integration

  7. Symantec Edge SWG Logs  - S3 integration and API

  8. Bluecat Networks - Micetro Logs -  S3 integration