In February, we announced the beta release of Blumira’s Public API, allowing customers to request access to on-demand findings data outside of the application. We also added new detection rules to our suite, including those for Windows login tampering and suspicious service creation, along with various improvements and bug fixes.
Feature and Platform Updates
Public API Beta: Customers can now request access to Blumira’s Public API to access findings data on-demand outside of the application. As we continue to work on our API capabilities, we welcome early testers on paid Blumira editions to click here to request beta access and give ongoing feedback.
Note: The API currently does not grant MSPs access to sub-accounts; this is planned work for full release as we continue to actively build on the API.
Field Sorting: When editing reports in Report Builder, fields now appear alphabetically in the dropdown menu for easier navigation to the fields you are most interested in.
Error Handling: We improved our error handling/messaging for when a user attempts to add a filter without selecting a data source in the Report Builder.
Detection Updates
| Log Type |
Detection Rule Name |
Details |
| Windows |
NEW - Winlogon Registry Tampering: Change to Startup Behavior |
This detection alerts on attempts to manipulate the Windows login process by modifying critical registry paths related to Winlogon. Attackers can exploit these registry locations to force the system to run unauthorized programs during user authentication, creating persistent threats that activate whenever users log in.
Default state: Enabled |
| NEW - New Service Creation Using Sc.EXE |
This detection identifies potentially malicious service creation using the “Sc.exe” utility. This detection triggers when a service is created with a suspicious executable path, such as those located in user directories or temporary folders, which is uncommon for legitimate services. This technique is used by threat actors to establish persistence or execute malicious code on the system.
Default state: Enabled
|
Bug Fixes and Improvements
Improvements
- We have renamed the following detections:
- “Azure: Entra ID Protection Risky Sign-in - High” was previously “Azure Identity Protection Risky Sign-in - High.“
- “Microsoft 365: Authentication Anomaly” was previously “M365 Auth Anomaly 1.“
- “Microsoft 365: Suspicious Login followed by Proxied Mailbox Activity” was previously “M365 Auth Anomaly 2.“
- We made quality of life improvements to the following detections:
- Azure: Entra ID Protection Risky Sign-in - High
- Fortigate: Authentication Bypass CVE-2022-40684
- Microsoft 365: Hidden Privileged Role Assignment
- Microsoft 365: Impossible Travel AAD Login - 2,001+ miles
- Microsoft 365: Suspicious Login followed by Proxied Mailbox Activity
Bug Fixes
- ConnectWise PSA for MSPs: We made improvements to the way we call the PSA service for a better and more reliable experience during new PSA configurations.
- Findings Search Presets - Findings search presets were failing to load, and we updated the list of allowed fields to fix this issue.
- Rogue Admin Account Detection - The “Rogue Global Administrator Account” detection was deprecated in response to repeated customer confusion. Instead, the “User Added to Privileged Group“ detection workflow was updated to support investigation and response to rogue accounts.
- False Positives in Microsoft 365 - Our “Microsoft 365: Authentication Outside of U.S.“ and “Microsoft 365: Impossible Travel AAD Login“ detections were tuned to reduce false positive events related to users logged as “00000000-0000-0000-0000-000000000000.”
- Fortigate Authentication Bypass Detection - The “Fortigate: Authentication Bypass CVE-2022-40684” detection workflow and analysis were updated to clarify the context of target log events and provide better investigation and response support in the workflow.
January 2025 Release Notes
In case you missed the January updates, you can find and review those notes here.
