2022 - February
This page contains information about new content released in the last month, and improvements and bug fixes to existing content.
This information, and information about all existing content, can also be found in the Knowledge Center in the Hunters portal.
New Content
Category | Name | Description | Prerequisites | Where it can be found |
---|---|---|---|---|
Detector | AWS GuardDuty Kubernetes Native Alert | Native Guard Duty alert of the finding type Kubernetes. |
| Leads page - AWS leads SOC Queue |
Detector | Suspicious Execution from Windows Public Folder | Detects execution of commonly abused binaries: |
| Leads page - Enterprise Network leads. |
Detector | DNS Server Data Exfiltration | Detects suspected data exfiltration over the DNS protocol. |
| Leads page - Enterprise Network leads |
Detector | Suspected Pwnkit Exploitation CVE-2021-4034 | Detects Pwnkit exploitation attempts which include pkexec process execution without proper arguments validation observed in the EDR logs |
| Leads page - Enterprise Network leads |
Drilldown | Organizational Local Username Creation Prevalence | Summarizes the data on the creation of a user on all of the EDR agents in the organization. |
| Entities enrichments - under the Employee, OSUser and Process entities (when they include the OS username). |
Drilldown | Local User Creation Details | Summarizes details on the creation of a user. |
| Entities enrichments - under the Employee, OSUser and Process entities (when they include the OS username). |
Detector | TCC DB File Manipulation | Detects possible abuse of the macOS system file TCC.db, which is used for controlling application access to certain features.
|
| Leads page - Enterprise Network leads |
Detector | Microsoft 365 Defender Endpoint Alerts | Integration with the new version of Microsoft 365 Defender alerts for EDR events. |
| Leads page - Enterprise Network leads |
Improvements and Bugfixes
Improved query performance of “IP IOC Found in Network Traffic Events” detector.
Improved “Okta Sessions from Email” auto-investigation to extract “Accessed App Names” and “Denied App Names” attributes for each session as well.
Improvements for story connections between different Proofpoint Alerts.
Improvements for “CloudTrail Disruption Events” detector’s scoring logic.
Fixed Domain enrichments for CrowdStrike alerts that contain Domain IOCs.
Improved hostname attribution for CrowdStrike agents in customers that ingest the CrowdStrike Devices data type.
Fixed an issue in “Email Address Statistics” auto-investigation that caused some data to be missing.
Improved Email alerts scoring by excluding noisy image file names.
Improved Entities display of “Instance Profile Security Credentials Used by Multiple IP Addresses”.
Improvement for the AWS GuardDuty Alerts - extract the “User-Agent” attribute for whenever it exists in the alerts.
Added the “Lead Activity” logic to multiple G Suite and AWS aggregate detectors.
Improvements for “AWS Root User Activity” detector that includes changing this detector to contain aggregated information about Root user activity.
Improvements for Carbon Black Native Alerts:
Deprecated detectors on specific alert types to prevent duplicate leads & reduce noise.
Improved Entities creation, Process Entities population is now more consistent and successful.