📢 Read the latest Release Notes to learn what's new on Hunters! 💡

Release Notes - April 2026

New
  • Updated on Apr 14, 2026
  • Published on May 16, 2024
Prev Next

Product

Pathfinder - Enhanced feedback loop

Classification Feedback

When accepting or dismissing Pathfinder's classification verdict, analysts can now share context about why they agreed or disagreed. This optional feedback helps Pathfinder understand what resonated, and what didn't, so future investigations align more closely with your team's judgment.

Downvote Key Findings

Analysts can now downvote individual key findings that weren't useful or relevant to their investigation. Each downvote signals to Pathfinder which investigative angles to deprioritize in similar scenarios going forward.


Pathfinder - Organizational Context - private preview

We are pleased to announce the upcoming private preview of the new Pathfinder organizational context capability.

This feature will enhance investigations by allowing you to add relevant organizational context for Pathfinder to utilize.

During this preview phase, you will be able to manually create this context. Future plans include capabilities for Pathfinder to automatically generate organizational context.

To participate in the preview or for any related questions, please contact us.

Security Content

AXON Threat Hunting Report 

Axios NPM Package Compromise

On March 31, 2026, Team AXON initiated a Rapid Response campaign following the disclosure of a significant security incident involving the widely used NPM package Axios, which introduces significant risk across enterprise environments relying on this dependency.

Malicious versions of the Axios package were published to NPM, embedding a remote access trojan. These versions were capable of establishing outbound connections to attacker-controlled infrastructure, enabling remote command execution and potential data exfiltration from affected systems.

The compromise is particularly concerning due to Axios’s widespread use in both frontend and backend applications, increasing the likelihood of downstream impact across development pipelines and production environments.

The affected versions are

axios@1.14.1 - published on 2026-03-31 00:21

axios@0.30.4 - published on 2026-03-31 01:00

The Rapid Response campaign was conducted from March 29, 2026 00:00 UTC, to March 31, 2026 13:40 UTC. In case any indicators of compromise were discovered in your environment, those will be documented within the “Hunting Results” section of this report.

Please note that additional machines may download the compromised package in the future, so the blast radius could be larger than what is currently reflected in this report.

More details and findings (if exist) can be found on the Hunters platform under “Axon Reports”.


Microsoft Graph API Enumeration of Service Principals and Security Groups

Microsoft Graph is the primary API used to access and manage resources within Microsoft Entra ID (formerly Azure Active Directory) and Microsoft 365 environments. Through Microsoft Graph, applications and users can query and modify directory objects such as users, groups, applications, and service principals. These APIs are commonly used by administrative tools, security products, and automation workflows to manage identities, review permissions, and maintain organizational configurations.

Adversaries who gain access to a user account or API token within a tenant may use Microsoft Graph to enumerate service principals, application permissions, and group memberships. By systematically querying these objects, attackers can map the identity landscape of the environment and identify potential paths for privilege escalation, persistence, or lateral movement. Common enumeration patterns include retrieving service principal ownership, reviewing application role assignments, and identifying members or owners of privileged groups.

While these operations can also be performed by legitimate administrative tools and security posture management platforms, they may also indicate reconnaissance activity conducted through compromised identities or unauthorized automation. Distinguishing between benign administrative activity and suspicious enumeration is therefore an important part of identity security monitoring.

This hunting thesis examines Microsoft Graph activity logs to identify patterns consistent with service principal and security group enumeration.

This threat hunt campaign was conducted from December 11th, 2025, to March 12th, 2026.

If a matching activity is identified within the environment, the relevant findings will be documented in the "Hunting Results" section of this report.

More details and findings (if exist) can be found on the Hunters platform under “Axon Reports”.


Deprecated detectors

Failed login with missing logon type permissions

As part of an ongoing quality monitoring, this detector was found to be very noisy and inaccurate.
There are many login attempts that look that way, which makes this logic irrelevant.
The deprecation time is planned for Apr 14, 2026.



Enrichments

New enrichments


M365 Guest User Operations

This new enrichment identifies guest (external) M365 users and retrieves recent M365 audit activity involving them, such as files or links shared with them and instances where they were invited or added as members.


Infostealer Download Flow Analysis

This new enrichment analyzes potential infostealer infections by identifying likely infection sources, browsing flow, related URLs, domains, and timeline of activity.

This new enrichment is available only for customers with the Identity Threat Protection (ITP) package. 


Improved enrichments

Google Workspace IP Activity

This enrichment has been improved to present more information about the users who have recently used this IP for activities on Google Workspace. 


Visibility Dashboard

A new visibility dashboard is now available - “GitHub Public Repo Created.”

This dashboard provides visibility into newly created GitHub repositories that are publicly accessible, which may indicate a potential hygiene issue or unintended exposure of code and data.


Integrations

Crowdstrike Incidents - Deprecation

CrowdStrike has announced that “Incident logs” will be retired this week and no longer be available starting March 9, 2026. To avoid inconveniences, connect CrowdStrike Alerts (crowdstrike_alerts) - use our docs in order to onboard.

Microsoft Message Trace - Deprecation & Required Update

Microsoft has announced that the legacy Message Trace tools and APIs, commonly used to export email-delivery logs from Exchange Online, will be retired soon.

The API endpoints will be turned off next month, on April, 2026.

Microsoft is also planning a new Graph API endpoint for Message Trace, expected to enter public preview in late 2025. Which we already support, and we’ve started to work on this update for Microsoft endpoints integration.

Microsoft Message Trace - And O365 audit logs documentations

The documentation has been reworked from scratch and simplified for easier onboarding.


Proofpoint On Demand Logs

The integration has been reworked and migrated from our previous ingestion engine to the latest one, enabling better health monitoring.

New Integrations Releases:

  1. Cisco IOS - S3 ingestion

  2. Veeam (Backup and Replication) logs - S3 ingestion 

  3. Microsoft 0365 message-trace through microsoft-graph - new endpoints support - API integration

  4. Halcyon - S3 ingestion 

  5. VMWare Horizon VDI - S3 ingestion 

  6. Nutanix HCI - S3 ingestion 

  7. Extreme NAC - S3 ingestion

  8. Tailscale - S3 and API ingestion

  9. Azure Network Firewall logs - Azure ingestion

  10. Trendmicro - API ingestion

  11. Thales - S3 ingestion

  12. Upwind stories - API ingestion