This page contains information about new content released in the last month, and improvements and bug fixes to existing content.
This information, and information about all existing content, can also be found in the Knowledge Center in the Hunters portal.

New Content

Category

Name

Description

Prerequisites

Where it can be found

Enrichment

Okta MFA Reset Activity

Shows MFA factor reset and set up activity for the user in the last day, who made it, and from where

Okta logs

Okta related leads

Asset Tagging

ADFS (Active Directory Federation Server) asset tags

  • ADFS Server asset tagging

  • ADFS Service account asset tagging

EDR logs

Improvements and Bugfixes

  • Improvements to “Active Directory Enumeration Detected” detector:

    • The network connections involved are now shown under the “Lead Activity” enrichment.

    • Removed false positives.

  • Improvements to population rate of “Host Owner” and “Local User” Employee Entities.

  • Improvements to population rate of “AWS Identity” Entities.

  • Extract additional attributes for leads from the detector - “New OAuth Application Consent”, specifically - the ID of the application relevant to the lead.

  • Improved success rate of the Drilldown “AWS Console Logins”.

  • Decreased FP rate of the detector “Azure AD Sign-in Marked as Risky by Microsoft”, by filtering out cases where Azure marked the Sign-ins as safe.

  • Present additional geographical information regarding IP addresses in Entities that contain an IP.

  • Improved “Windows Situational Awareness Process Execution” detector - reduced significantly the amount of FPs generated by this detector by filtering out several benign initiating process command lines

  • Replace “Suspicious Scheduled Task Registered” with “New Suspicious Scheduled Task Registered” detector - detecting only suspicious scheduled tasks when they appear for the first time.

  • Improvements to detectors running over the network traffic unified schema

    • Added new columns called intermediate_source_ip, intermediate_destination_ip, intermediate_source_port and intermediate_destination_port that contain NAT IP addresses, in data sources that contain this information

    • Added application and device_name columns

    • Additional performance improvements