This page contains information about new content released in the last month, and improvements and bug fixes to existing content.
This information, and information about all existing content, can also be found in the Knowledge Center in the Hunters portal.

New Content

Category

Name

Description

Prerequisites

Where it can be found

Drilldown

User Logon History

Queries the raw data for any logon made by the username in the last 30 days prior to the lead time

EDR Logon Logs

Entity Activity

Drilldown

Host Logon History

Queries the raw data for any logon made to the host in the last 30 days prior to the lead time

EDR Logon Logs

Entity Activity

Drilldown

Okta MFA for Login

Queries the raw data for the MFA after an Okta login lead. Figures out the authentication outcome and counts MFA failures to try catching push-flood. Compares the Factor to a few categories of “trust worthy” factors (Yubikey or Fido 2FA keys; Okta Verify app)

Okta Logs

Leads Page

Okta leads - “Okta Logs Suspicious Login”, “Okta Login from Host Without an EDR Agent”

Scoring Model

Okta MFA for Login model

Scores the lead based on the MFA flow outcome found in the above DD. Raise the confidence for successful or failed push-flood attacks. Lowers the severity for MFA failures. Lowers confidence for trustworthy MFA methods.

Okta Logs

Leads Page

Okta leads - “Okta Logs Suspicious Login”, “Okta Login from Host Without an EDR Agent”

Detector

Process Dump Using comsvcs.dll Module

Dumping processes using the comsvcs.dll module (COM+ Services DLL) is a common technique by threat actors and adversaries to dump process memories

EDR Process Logs

Leads Page
SOC Queue

Detector

Suspicious File Detected by PAN

Using the PAN Threat Logs, detects suspicious files (subtype 'file').
Filters out alerts with "informational" or "low" severity.

PAN Threat Logs

Leads Page

Improvements and Bugfixes

  • Improved scoring of the detector “IP IOC Found in EDR Network Event” by extracting the local port in inbound connections, and increasing the confidence of leads where the connection was made to a commonly abused port.

  • Rearranged our Netskope integration and introduced a separate detection for Malware native alerts.

  • Extracted the accurate device platform attribute for Microsoft Defender for Endpoint leads.

  • Better extraction of usernames on logon attempts spotted on Windows Event Logs.

  • Improvements to os_username graph correlations to prevent connections between entities that appear on many different EDR agents.