Cloud infrastructure – Identify common cloud misconfigurations, modified security groups, attempts to connect with C2 (attacker-controlled) servers, and credential exfiltration.
Identity and access – Foil attempts to log in to your systems, quickly detect geo-impossible logins, and zero in on fraudulent login attempts that could indicate the theft of usernames and passwords.
Email documents – Blumira SIEM watches for attack signatures like anomalous access attempts, external document sharing, and email forwarding. You’ll also be alerted to new inbox rules created by attackers trying to evade detection.
Endpoint security – Blumira tracks all of the above while rooting out malware, compromised processes, and unknown or blocklisted applications running on devices. Blumira SIEM also detects attacker tools like Mimikatz, Cobalt, Strike, Powershell Empire, Bloodhound, and Sharphound.
For a handy overview of the features Blumira users rely on the most, access our threat detection datasheet.
Blumira surfaces real findings at every attack stage to empower IT teams so you can act and respond quickly. Faster detection and response means faster containment – mitigating the threat before it damages your organization.
Reconnaissance – Know when attackers are gathering information to use in future attacks. With Blumira, you can detect internal port scanning and reconnaissance, unusual Java discovery commands, and honeypot access. Blumira also detects domain enumeration anomalies as well as enumeration through AS-REP Roasting, Kerberoasting, and SYSVOL.
Initial access – Identify when an intruder is attempting to get into your network. Blumira monitors for much more than remote access tools (RATs), failed logons, and phishing attempts. Blumira is built to flag unusual access attempts using MFA requests, web authentication, RDP, FTP, SSH, and SMB, and public IP connections.
Execution – Get notified when Blumira sees an attacker running malicious code, including tool execution through Powershell, command and scripting interpreter, or signed binary proxy execution. Blumira also detects suspicious parent processes, macros, and attachments.
Persistence – Stop attackers who are trying to maintain a foothold in your environment. Suspicious activity can point to unwanted entities setting up residency in your systems. Blumira detects the unusual addition of new services, admin-level accounts, scheduled tasks, and system processes. You can also set notifications for suspicious Cron jobs, web shell interactions, Java, and registry run scripts.
Privilege escalation – Know when someone is trying to gain higher-level permissions. Attackers will try to seek additional access by adding a new IAM role, exploiting Sudo, disabling UAC, or adding themselves to a privileged group. Blumira detects these attempts, along with memory dumping, pass-the-hash, process injection, and malicious in-memory behavior.
Defense evasion – Detect attackers even when they’re trying to avoid detection. Blumira engineers stay ahead of evolving cyber-attacks and techniques, making it hard for adversaries to hide. We’re always adding new detections so you can spot changes in audit or domain policy, Bash/Zsh history, and proxy processes. You’ll also be notified when real-time protections, firewalls, windows event logging, and command history logging are disabled.
Credential access – Block attackers from stealing account names and passwords. Because there are many ways to abscond with credentials, Blumira has many ways to detect unauthorized activity. With Blumira you’ll be notified of attempts to bypass MFA user authentication, gain access via brute-force, log in to a console without MFA, exfiltrate AWS IAM credentials, create an application password, or use unsecured credentials. Blumira also detects attacker tools like Mimikatz.
Discovery – Spot activity that reveals a threat actor who’s trying to figure out your environment. Blumira will detect unusual findstr and net-recon commands, as well as attempts at account, network share, file, and directory discovery. It will also notify you of unwanted injected explorer, null-session, BloodHound, and registry permissions activity.
Lateral movement – Uncover evidence of outsiders moving through your network. This kind of activity includes registry lateral movement, WinRM remove code execution, Linux reverse shell, use of honeytokens, remote desktop connections (RDP), remote schedule task creation, compromised EC2 traffic, and tampering with lateral tool transfer NTLM authentication.
Command and control (C2) – Block communication with compromised systems. Blumira detects EC2 C2 activity, attack tool C2 reports, remote access tools (RATs), DNS anomalies, external proxies, keyhole VNC activity, RDP over reverse tunnel, DNS tunneling, and malicious webshell connections.
Exfiltration – Identify attempts to steal data. You can use Blumira to intercept exfiltration over the C2 channel or via external document sharing, physical media, network media, and compressed data. Blumira also detects ARP poisoning, Azcopy and Rclone, multiple suspicious outbound connections, and Tor tunnel traffic.
Impact – Catch attackers when they’re trying to destroy systems and data. Blumira will warn you of nefarious activity including event log clearing, admin changes, mass object deletion, .PST file exports, key vault tampering, and blocked cryptomining traffic. Bumira also identifies vulnerabilities like unsafe file permissions, failing hard drives, and backup errors.
Get our detection datasheet for a checklist of the many ways Blumira monitors for activity throughout your environment, at every stage of threat potential.
Blumira SIEM takes a radically different approach to defensive security by focusing on what’s critical and urgent so you’re not distracted with an avalanche of alerts. Decreased noise helps your team do their jobs more efficiently, and that means better security outcomes for your organization.
This focus on automation, testing, correlation, and prioritization significantly reduces alert volume while giving context to alerts coming in. Blumira does this so you can focus on the most threatening activity without being sidetracked by noise and false positives that cause alert fatigue.
Your IT and SOC teams can spend less time doing hands-on monitoring because Blumira does the heavy lifting for you. Cyber attackers are continually evolving their attacks, so Blumira is evolving, too. This includes gathering and subscribing to threat intelligence feeds, along with developing and maintaining data parsers.
Meet your compliance control objectives, save time on security tasks, focus on real threats, and protect against breaches faster with Blumira.
Sign up for the FREE Blumira SIEM to get:
No credit card is required!