This page contains information about new content released in the last month, and improvements and bug fixes to existing content.
This information, and information about all existing content, can also be found in the Knowledge Center in the Hunters portal.

New Content

Category

Name

Description

Prerequisites

Where it can be found

Detector

CloudWatch Alarms Disruption Detected

Detect disruption attempts to CloudWatch Alarms mechanism. That may indicate on a Threat Actor’s attempt to evade detection.

  • AWS Cloudtrail logs

  • Leads page

  • SOC Queue

Detector

Suspicious PE File Written by Office Application

Detects new PE files that are written to disk by an Office application (Word, Excel, etc.) which may indicate a macro attack vector.

  • EDR logs

  • Leads page - Enterprise Network leads

  • SOC Queue

Detector

Azure AD Successful Login Using Legacy Protocols

Detect suspicious login from unmanaged devices using legacy protocols which can allow adversaries to bypass MFA policy in Azure AD

  • Azure Sign-In

  • Leads page

Enrichment

Binary Name Execution Prevalence

Fetches the organizational prevalence & first execution time of a binary (by file name).

  • EDR logs

Entity enrichment for Process

Enrichment

Binary Hash Execution Prevalence

Fetches the organizational prevalence & first execution time of a binary (by file hash).

  • EDR logs

Entity enrichment for Process

Improvements and Bugfixes

  • Improvements to “Suspected IAM Privilege Escalation Behavior"

    • Improved coverage

    • Reduced false positive rate

  • Fixed source and destination fields to be based on network direction in the Network Activity entity in "AWS GuardDuty EC2 Native Alert"

  • Fixed a bug where user enrichments sometimes didn’t appear in the Employee entity screen

  • Improved Employee entity filling in CrowdStrike customers - the entity will now also include Windows User SID and User Principal Name when this information was found for the given username

  • Employee matching based on Windows User SID and User Principal Name is now supported for relevant HR data sources

  • Improved scoring of SHA-256 IOC lookup detectors

    • Improved the VirusTotal scoring layer to raise confidence for this detector when a large number of AV detections were found for the IOC, or when suspicious tags were found related to the IOC

    • Added a “Suspicious Path” scoring rule to raise confidence when the IOC was found in a suspicious or uncommon path

  • Reduced number of hash IOC false positives significantly using the NSRL (National Software Reference Library) dataset

  • Improvements to “Built-in Privileged IAM Policy Attached“

    • Improved coverage

    • Fine tune scoring

  • Fixed a bug where certain Drilldowns didn’t run on Mimecast alerts

  • Improvements to SentinelOne Threats

    • A dedicated scoring layer was added for better score distribution, with MITRE ATT&CK techniques mapping for each threat

    • Fixed a bug where threats sometimes had empty users which caused false correlations in Stories