Product
Detector page - Alert threshold setting UX
Improvements to how the alert threshold and global alert threshold are displayed, making the alert threshold column display the effective alert threshold after calculating the Hunter's default vs the customer’s specific setting vs the global alert threshold
Data Source page - Pivot to Search (Rollout in progress)
You can now pivot directly from a data flow to the Search page. This automatically runs a query for 100 records from the datalake, allowing you to immediately review the data structure and refine the query as needed. (Note: These are currently 100 arbitrary records, not the most recently inserted ones.)
Security Content
AXON Threat Hunting Report - Gainsight
Team AXON initiated a Rapid Response campaign following the disclosure of a significant security incident involving Gainsight, a popular CRM application that integrates with the Salesforce platform.
This incident bears similarities to a previous breach involving SalesLoft, where attackers compromised the infrastructure and stole OAuth credentials that facilitated unauthorized access to Salesforce instances.
More details and findings (if they exist) can be found on Hunters platform under “Axon Reports”.
Deprecated Detectors
As mentioned in the previous release notes, the following detector has been deprecated on Nov 27, 2025:
Execution of WHOAMI as Local System
As part of an ongoing quality monitoring, this detector was found to be very noisy and inaccurate.
Many applications behave that way, which makes this logic irrelevant.
Enrichments
Azure Sign-In Info from Correlation ID
Finds data and creates an Azure Sign-In Mega Entity for leads without sufficient information, based on azure_correlation_id.
This provides extra important context for the analysts, allowing for more accurate verdicts.
M365 File Download App Usage Statistics
Displays usage statistics for a specific application used for files download, enabling more context for leads concerning M365 file exfiltration.
Statistics displayed are both global usage data and specific for the relevant user that triggered the lead.
Integrations
Microsoft Message Trace - Deprecation & Required Update
Microsoft has announced that the legacy Message Trace tools and APIs, commonly used to export email-delivery logs from Exchange Online, will be retired soon.
The API endpoints will be turned off on March 18, 2026.
Microsoft is also planning a new Graph API endpoint for Message Trace, expected to enter public preview in late 2025. Which we already support - https://docs.hunters.ai/docs/microsoft-graph, and will update once Microsoft releases their update.
What this means for you
To ensure continued ingestion of your Microsoft email logs, you will need to migrate to Microsoft’s Graph API endpoint.
How Hunters can help
Our team is monitoring Microsoft’s rollout closely and will update our customers on any changes expected.
Please reach out to us with any questions or doubts.
New Integrations Releases:
Delinea-audit-logs (Suite Cloud) - S3 integration
FortiDLP-logs - API integration
Genesys-audit-logs - API integration
FastTrack - 3 endpoints (log types) - API integration
Vectra RUX Detection events - API integration
Sekoia Advanced Feed - API integration
PAN firewall URL-filtering integration - S3 integration
Product
Detector page - Alert threshold setting UX
Improvements to how the alert threshold and global alert threshold are displayed, making the alert threshold column display the effective alert threshold after calculating the Hunter's default vs the customer’s specific setting vs the global alert threshold
Data Source page - Pivot to Search (Rollout in progress)
You can now pivot directly from a data flow to the Search page. This automatically runs a query for 100 records from the datalake, allowing you to immediately review the data structure and refine the query as needed. (Note: These are currently 100 arbitrary records, not the most recently inserted ones.)
Security Content
AXON Threat Hunting Report - Gainsight
Team AXON initiated a Rapid Response campaign following the disclosure of a significant security incident involving Gainsight, a popular CRM application that integrates with the Salesforce platform.
This incident bears similarities to a previous breach involving SalesLoft, where attackers compromised the infrastructure and stole OAuth credentials that facilitated unauthorized access to Salesforce instances.
More details and findings (if they exist) can be found on Hunters platform under “Axon Reports”.
Deprecated Detectors
As mentioned in the previous release notes, the following detector has been deprecated on Nov 27, 2025:
Execution of WHOAMI as Local System
As part of an ongoing quality monitoring, this detector was found to be very noisy and inaccurate.
Many applications behave that way, which makes this logic irrelevant.
Enrichments
Azure Sign-In Info from Correlation ID
Finds data and creates an Azure Sign-In Mega Entity for leads without sufficient information, based on azure_correlation_id.
This provides extra important context for the analysts, allowing for more accurate verdicts.
M365 File Download App Usage Statistics
Displays usage statistics for a specific application used for files download, enabling more context for leads concerning M365 file exfiltration.
Statistics displayed are both global usage data and specific for the relevant user that triggered the lead.
Integrations
Microsoft Message Trace - Deprecation & Required Update
Microsoft has announced that the legacy Message Trace tools and APIs, commonly used to export email-delivery logs from Exchange Online, will be retired soon.
The API endpoints will be turned off on March 18, 2026.
Microsoft is also planning a new Graph API endpoint for Message Trace, expected to enter public preview in late 2025. Which we already support - https://docs.hunters.ai/docs/microsoft-graph, and will update once Microsoft releases their update.
What this means for you
To ensure continued ingestion of your Microsoft email logs, you will need to migrate to Microsoft’s Graph API endpoint.
How Hunters can help
Our team is monitoring Microsoft’s rollout closely and will update our customers on any changes expected.
Please reach out to us with any questions or doubts.
New Integrations Releases:
Delinea-audit-logs (Suite Cloud) - S3 integration
FortiDLP-logs - API integration
Genesys-audit-logs - API integration
FastTrack - 3 endpoints (log types) - API integration
Vectra RUX Detection events - API integration
Sekoia Advanced Feed - API integration
PAN firewall URL-filtering integration - S3 integration
Detectors
New detectors
Deprecated detectors
The following detector will be deprecated:
Execution of WHOAMI as local system
As part of an ongoing quality monitoring, this detector was found to be very noisy and inaccurate.
There are many applications that behave that way, which makes this logic irrelevant.
The deprecation time is planned for Nov 27, 2025.
As mentioned in the previous release notes, the following two detectors have been deprecated recently:
Suspicious execution from %ProgramData% (deprecated)
The detector was very noisy and doesn’t necessarily indicate suspicious activity, unless there is any other indication.
The detector was replaced by a scoring model that runs on the relevant EDR-based detectors and increases score in case the target process was executed from %ProgramData%.
Possible use of a stolen or forged user ticket (TGT) (deprecated)
The detector was very inaccurate and noisy.
The detector aimed to detect a Golden Ticket attack. However, it becomes more and more common for adversaries to use more advanced techniques such as Diamond/Sapphire Ticket. Those techniques won’t be detected by the aforementioned detector.
As for now, there are no effective ways to detect Diamond/Sapphire Ticket techniques. Hunters’ Team Axon will keep evaluating possible detections for those and develop a detector if it would be possible and accurate enough.
Enrichments
Potential download origin URL found
The drilldown is based on Crowdstrike’s event MotwWritten, and hence relevant only in cases where Crowdstrike EDR logs exist.
Microsoft 365 users who accessed mailbox owned by this user
Presents all users that accessed the mailbox owned by a given user.
This drilldown can be useful in understanding whether a given mailbox is a shared mailbox or not.
This drilldown is mainly useful for the detector “Microsoft 365 Abnormal Mail Access by Unusual ClientAppId” - in case multiple non-owner users have been accessing the mailbox, it increases the chances it’s a shared mailbox and that decreases the likelihood the abnormal mail access is a malicious activity.
Integrations
New Integrations Releases:
DataDog - added webhook integration
Delinea-audit-logs (Suite Cloud) - S3 integration
Beyondtrust-remote-support-session - API integration
FortiDLP-logs - API integration
Genesys-audit-logs - API integration