In 2022, we collected a lot of data here at Blumira — over 5,000 TB — to protect our customers from threats. Looking back on the year, we can uncover patterns in the data to continually improve our detection & response capabilities.
What are some trends we noticed in 2022? Let’s delve in.
At Blumira, we rely on a mixture of signature-based and behavior-based detection for a more nuanced view of suspicious behavior in an environment that could lead to an attack. We proactively identify and reach out to our customers when our platform identifies a malicious detection — what we call a finding — that is critical to respond to and stop an attack early.
Learn how we create detection rules >
These detections, or findings, are split into different categories based on the type of activity. The most common category across Blumira for 2022 was Users and Groups. This encompasses all detections around account lockouts, login failures, and other user-based issues within environments.
Other common categories included:
Getting more granular, we saw an increase in findings for Microsoft 365 multi-factor authentication (MFA) enrollment skips — not including email forwarding, because we advise our customers to do that.
Microsoft strongly encourages MFA usage, claiming that it can block 99.9% of account compromise attacks. In October 2022, Microsoft started deprecating legacy and basic authentication, even if it is still in use.
We also saw an increase in Microsoft 365 domain administrator creations. Each organization should have a very limited number of domain admins, since their elevated permissions bring a lot of power.
In 2023, ensure all of your users are utilizing MFA and that you reduce usage of administrators across your environment as much as possible.
10. modification of Microsoft 365 group
9. indicator: Microsoft 365 exchange domain added
8. indicator: null session authentication by known attack tool
7. indicator: Azure AD global administrator role assignment
6. indicator: potential clear-text password on local system by file write
5. indicator: Microsoft 365 – malware campaign detected in SharePoint and OneDrive
4. indicator: Microsoft 365 – user requested to release a quarantined message
3. Microsoft 365 – creation of forwarding/redirect rule to external domain
2. indicator: Microsoft 365 – suspicious inbox rule creation
1. Microsoft 365 – excessive number of mfa enrollment skips
Think you’re seeing too many (or too few) findings as a Blumira customer? Make sure you to checkout our Rule Management and Detection Filters features! These will allow you to tweak your detections to make it fit your environment
As an open-based platform, Blumira has over 50 native integrations to common software and security tools, all of which have logs sent to Blumira for monitoring. In fact, Blumira customers average 15 log sources, everything from operating systems, to firewalls and EDR systems. And, given that we have a Free edition built around Microsoft 365, it’s no surprise that multiple Microsoft products are found on the list of the top 10 most common data sources.
10. Sentinel_one_activities
9. Sophos_xg_traffic
8. Asa_traffic
7. Palo_alto_traffic
6. Office365_aad
5. Sonicwall_traffic
4. Meraki_flows
3. Windows_firewall
2. Office365_exchange
1. Windows
Resolving a threat is like turning the last page of a book and closing the cover — it feels good to wrap up so you can move on to the next priority. To make it easier to finish the book, Blumira provides guided playbooks and has a SecOps team standing by for critical findings. In fact, over 18% of the threats detected and resolved by our customers were P1 threats – those that need to be acted upon immediately.
And resolving threats isn’t always easy. But, we do everything in our power to make it as easy as possible. Guided response playbooks are included with every finding and admins have the option to walk through those steps themselves, assign it to another team member, or contact Blumira support for more info. But just what do these playbooks include?
Yes/No Workflow Questions:
Possible Outcomes
Follow Up Questions With Potentially Compromised Accounts
And it seems like those playbooks really do help our customer close things out. We had almost half of our customers resolve every single detection that popped up in their system. 100% threat response rate is amazing! About 60% of the organizations using the Blumira platform resolved at least 90% of the findings they received.
Interested in seeing just how easy it is to receive findings and resolve threats with the Blumira platform? Check out our Free edition for Microsoft 365. There’s no credit card or additional licensing required, and you get the full set of detections and response playbooks for M365.