This page contains information about new content released in the last month, and improvements and bug fixes to existing content.
This information, and information about all existing content, can also be found in the Knowledge Center in the Hunters portal.

New Content

Category

Name

Description

Prerequisites

Where it can be found

Detector

Cloudtrail S3 Delete Public Access Block

Manipulation on PublicAccessBlock for S3 buckets while setting flags related to reachability over the internet.

AWS CloudTrail

Leads Page

Enrichment

Hostname to Vulnerabilities

Provides Vulnerabilities on a hostname detected by a Vulnerability Management product.

Tenable.io logs

Entity enrichment for Local Host

Scoring Model

Vulnerability Management Scoring Model

Generic scoring layer that alters lead's score based on vulnerabilities found related to it.

Tenable.io logs

Leads page - Incident Summary of relevant leads

SOC Queue - Incident Summary of relevant leads

Detector

Impossible Travel - Okta

Detects consecutive logins from two different IP addresses by the same user, with the required traveling speed between them being impossible in the observed time frame.
Only one lead is generated for each IP pair.

Okta Logs

Leads Page

Enrichment

VPN Users Behind IP

Number of VPN users seen behind IP, during and before the lead

PAN GlobalProtect or

Cisco ASA AnyConnect

Entity Enrichment

Detector

Sensitive Answer File Access

Answer files (or Unattend files) can be used to modify settings in Windows images during setup. Adversaries can take advantage of this bad practice to gain plain text passwords

EDR Process Logs

Leads Page

Improvements and Bugfixes

  • Improvements to Mimecast alerts

    • Tuned scoring for better prioritization in SOC queue and story correlation

    • New and improved lead structure based on the alerts

  • Improvements to EDR Logons unified schema

    • Microsoft Defender for Endpoint is now supported

    • Small improvements to other sources

    • CrowdStrike Domain Admin Asset Tag

  • Improvements to Azure Risky Logins Scoring Model

    • Lower the severity score for them for failed logins

    • Increase confidence score for risk types identified during the sign-in, such as impossible travel or known malicious IP

  • Improvements to the “Windows Event Log Cleared” detector’s scoring model

    • Increase severity score for clearing logs from System.evtx and Security.evtx files

  • Improvements to Azure Security Center alerts

    • Extract more entities from various types of alerts