Week 34, 2023

There’s a strong “data exfiltration” vibe to this week’s release notes. Read on to learn about two new checks, as well as a new customization option for Personal VPN Usage.

⬇️ Catch Guests Exfiltrating Code in GitHub

Last month, we introduced our integration with GitHub. GitHub is particularly interesting as it broadens the scope of the types of identity threats we can detect. The data stored on GitHub is particularly appealing to attackers, and you can read more about why that is the case and real-world examples by digging into Mitre’s Data from Information Repositories: Code Repositories (T1213.003).
As a real example, we recently discovered a series of risky events on GitHub. Within less than 24 hours, a team member extended an invitation to an external account, which was promptly accepted, leading to the complete cloning of a repository.
It is this exact use case that we are detecting with our new check, Code Exfiltration by Guest Account. This check detects external accounts that have recently been created and have successfully downloaded a repository. If an external user's account was created within the past 7 days and they downloaded a repository, they will fail this check. You may customize the number of days between when the invitation was sent and the repository download.
To enable this integration, we have created a new data collection type for GitHub – User Enterprise Emails. Please ensure this is enabled if you wish to use this check.

📧 Detect Suspicious Email Forward Rules

The second new check we have added is Users with Defined Email Forward Rules.
Unfortunately, users often get tempted to share emails between their personal and work accounts. While many times this is benign, it can indicate a legitimate data exfiltration attempt. Our new check gives security teams visibility of which users have email forward rules in place. This should be of particular interest if an employee is disgruntled or known to be moving jobs soon.
Two weeks ago, we mentioned that we have expanded the scope of Microsoft Entra ID collection to include message rules. We’ve now used this new form of collection to enable this detection type.
This check is specific to Microsoft Entra ID, but you can learn more about a similar check for Google Workspace here.

⚙️ Increased Customization for Personal VPN Check

Many of you have been enjoying the Personal VPN Check, and we’ve continued to iterate on this check to add further opportunities for customization.
In this release, we have added the option to limit the scope of this check to only managed devices. There is a simple toggle in Check Settings that may be turned on if you wish to enable this feature.

Bug Fixes and Minor Improvements

  • Notifications in Microsoft Teams. To keep within the required message size limit, we have reduced the number of failing users displayed on a Microsoft Teams notification to five. This is a result of more detailed context being provided per user.
  • Pagination for Applications. Within the Applications tab of the User360 profile, we’ve made improvements to display the list of applications across multiple pages. You can choose the number of rows displayed on the page.
  • Weekly Digest. Clicking through to the dashboard from weekly digest emails will automatically display the relevant check feedback, such as instances marked as false positives.
  • User Page Search Improvements. You can now search by additional parameters, such as password reset date and user agent usage.
  • Microsoft Entra ID Collection. Expanded collection to improve Service Principal data type.