Release Notes and Updates - Nov 2025

New
  • Updated on Nov 10, 2025
  • Published on May 16, 2024
Prev Next


Detectors

New detectors

Google Drive Mass Download - Improvement

The field Application Name was added to the lead attributes as well as to the grid array.

This change will help with the investigation of this type of alert, and allow for new rules, such as ignoring rules based on known applications.


Suspicious Teams communication from foreign user

By default, Microsoft Teams allows external users to initiate chats with internal employees unless tenant policies explicitly restrict it. 

This functionality can be exploited by threat actors to impersonate trusted contacts, deliver malicious links or payloads, or engage in deceptive conversations that can lead to compromise. 

This detector looks for suspicious one-on-one communication in Microsoft Teams initiated by external users by filtering chats from commonly used domains.


SMB Connection From an Abnormal Process

Detects abnormal processes that initiate an SMB connection. 

In a Windows environment, file sharing is typically implemented over the Server Message Block (SMB) protocol, which communicates between hosts using port 445. 

When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment. 

Important to note that this detector relies on event 5156 from the windows event log that is not being logged by default. 


Non-Browser User Agents Authenticating to OfficeHome

Detects successful authentications to Microsoft 365’s OfficeHome application by non-browser user agents.

Threat actors may leverage automated tools, custom scripts, or replayed tokens instead of standard browsers (e.g., Chrome, Edge, Firefox, Safari) to blend into legitimate traffic and maintain persistent access to SaaS environments.

Such activity can indicate the use of compromised credentials or session artifacts, potentially enabling persistence, data exfiltration, or lateral movement while evading browser-based detection controls. 

Possible Execution of Impacket

Detects possible execution of Impacket scripts. Threat actors typically use Impacket to exploit Windows services and protocols, steal credentials, and other sensitive information.

 This behavior can indicate lateral movement within networks undetected and privilege escalation.

Microsoft 365 Abnormal Mail Access by Unusual ClientAppId

Detects when a user accesses a mailbox which it doesn't own, using a client application that is not typically used by the user. 

This may indicate potential compromise or unauthorized access attempts. 

Adversaries may use custom or third-party applications to access mailboxes, bypassing standard security controls.

Scoring would be decreased in case multiple users usually access the target mailbox, which may indicate this is a shared mailbox.

Deprecated detectors

SOCKS proxy usage

Following customers feedback for a FP lead, we analyzed the detector at hand.

The detector attempted to identify a specific phenomenon happening during certain usage of Cobalt Strike tool. Analysis yielded this behavior is not exclusive to the tool usage.

In addition, the lead only informs for anomalous login without much context to investigate the lead.

After weighing the potential value against the time required to investigate and high amount of FPs, we decided the Detector does not meet our quality standards and should be deprecated.

Process execution from remote network share

The detector is very noisy and doesn’t necessarily indicate suspicious activity, unless there is any other indication. 

The detector was replaced by a scoring model that runs on the relevant EDR-based detectors and increases score in case the target process was executed from a remote share.

Suspicious execution from %ProgramData%

The detector is very noisy and doesn’t necessarily indicate suspicious activity, unless there is any other indication. 

The detector will be replaced by a scoring model that runs on the relevant EDR-based detectors and increases score in case the target process was executed from %ProgramData%.

The deprecation will take place on Nov 9, 2025.

Possible use of a stolen or forged user ticket (TGT)

The detector is very inaccurate and noisy.

The detector aims to detect a Golden Ticket attack. However, it becomes more and more common for adversaries to use more advanced techniques such as Diamond/Sapphire Ticket. Those techniques won’t be detected by the aforementioned detector.

As for now, there are no effective ways to detect Diamond/Sapphire Ticket techniques. Hunters’ Team Axon will keep evaluating possible detections for those and develop a detector if it would be possible and accurate enough.

The deprecation will take place on Nov 16, 2025.

Enrichments

EDR Process ID to Registry Operations

This drilldown queries the raw data for any registry operations made by the PID (Process ID) half an hour before and after the lead inception time. 

This will result in greater context on what took place within the process execution and assist in uncovering any potential malicious registry activity.

Scoring would be increased in case commonly abused registry keys have been modified.

Process Connections from IP over Kerberos

This drilldown identifies processes making outbound Kerberos connections (port 88) from a specific source IP address. 

It's particularly useful for investigating Kerberoasting attacks, excessive TGS requests, and other Kerberos-related security incidents where understanding which processes are communicating with domain controllers is crucial.

Destination IP to Process Connections

This drilldown analyzes which processes on endpoints are connecting to specific destination IP addresses. 

AWS User Role Attachment Activities

This drilldown analyzes AWS IAM policy attachment activities to identify privilege escalation attempts and unusual access patterns. 

It specifically monitors AttachRolePolicy, AttachGroupPolicy, and AttachUserPolicy events to detect suspicious role and permission modifications that could indicate compromised accounts or insider threats.

Associated Microsoft Teams Activities and Complementary M365 audit logs

Returns relevant M365 audit logs, including Microsoft Teams activities and TIMailData events that may be significant for investigations. 

For example, events such as UserAccepted and MessageSent in Teams can provide valuable context in Teams phishing cases, helping determine whether the attack was successful.

SentinelOne Threat Raw Correlation

SentinelOne 3rd party alerts do not contain a lot of context around the alert.

This new drilldown presents additional insights about the alerts and processes, files and network activity that are related to it.

Pulsedive IOC Lookup - Improvement

A grid array was added to the DD results including which Threats, Risk Factors or Feeds was this indicator related too.

This will enable users to immediately consume the insights of Pulsedive easily and simply

Integrations

New Integrations Releases:

  1. Stream Security Alerts - webhook/ S3

  2. Vectra RUX audit logs (metadata) - API /S3

  3. Wiz Threats - Webhook/s3

  4. Zero Networks - Audit Activity Logs - API/S3

  5. Jamf protect Events - API/S3

  6. Fastly Waf - S3

  7. Tanium - audit logs (33 endpoints) - API/S3

  8. Check Point Email Events - S3