February 2025 Product Releases | Blumira

Written by Eric Pitt | Mar 7, 2025 8:25:37 PM

In February, we announced the beta release of Blumira’s Public API, allowing customers to request access to on-demand findings data outside of the application. We also added new detection rules to our suite, including those for Windows login tampering and suspicious service creation, along with various improvements and bug fixes.

Feature and Platform Updates

Public API Beta: Customers can now request access to Blumira’s Public API to access findings data on-demand outside of the application. As we continue to work on our API capabilities, we welcome early testers on paid Blumira editions to click here to request beta access and give ongoing feedback.

Note: The API currently does not grant MSPs access to sub-accounts; this is planned work for full release as we continue to actively build on the API.

Field Sorting: When editing reports in Report Builder, fields now appear alphabetically in the dropdown menu for easier navigation to the fields you are most interested in.

Error Handling: We improved our error handling/messaging for when a user attempts to add a filter without selecting a data source in the Report Builder.

Detection Updates

Log Type	Detection Rule Name	Details
Windows	NEW - Winlogon Registry Tampering: Change to Startup Behavior	This detection alerts on attempts to manipulate the Windows login process by modifying critical registry paths related to Winlogon. Attackers can exploit these registry locations to force the system to run unauthorized programs during user authentication, creating persistent threats that activate whenever users log in. Default state: Enabled
NEW - New Service Creation Using Sc.EXE	This detection identifies potentially malicious service creation using the “Sc.exe” utility. This detection triggers when a service is created with a suspicious executable path, such as those located in user directories or temporary folders, which is uncommon for legitimate services. This technique is used by threat actors to establish persistence or execute malicious code on the system. Default state: Enabled

Log Type

Detection Rule Name

Details

Windows

NEW - Winlogon Registry Tampering: Change to Startup Behavior

This detection alerts on attempts to manipulate the Windows login process by modifying critical registry paths related to Winlogon. Attackers can exploit these registry locations to force the system to run unauthorized programs during user authentication, creating persistent threats that activate whenever users log in.

Default state: Enabled

NEW - New Service Creation Using Sc.EXE

This detection identifies potentially malicious service creation using the “Sc.exe” utility. This detection triggers when a service is created with a suspicious executable path, such as those located in user directories or temporary folders, which is uncommon for legitimate services. This technique is used by threat actors to establish persistence or execute malicious code on the system.

Default state: Enabled

Bug Fixes and Improvements

Improvements

We have renamed the following detections:
- “Azure: Entra ID Protection Risky Sign-in - High” was previously “Azure Identity Protection Risky Sign-in - High.“
- “Microsoft 365: Authentication Anomaly” was previously “M365 Auth Anomaly 1.“
- “Microsoft 365: Suspicious Login followed by Proxied Mailbox Activity” was previously “M365 Auth Anomaly 2.“
We made quality of life improvements to the following detections:
- Azure: Entra ID Protection Risky Sign-in - High
- Fortigate: Authentication Bypass CVE-2022-40684
- Microsoft 365: Hidden Privileged Role Assignment
- Microsoft 365: Impossible Travel AAD Login - 2,001+ miles
- Microsoft 365: Suspicious Login followed by Proxied Mailbox Activity

Bug Fixes

ConnectWise PSA for MSPs: We made improvements to the way we call the PSA service for a better and more reliable experience during new PSA configurations.
Findings Search Presets - Findings search presets were failing to load, and we updated the list of allowed fields to fix this issue.
Rogue Admin Account Detection - The “Rogue Global Administrator Account” detection was deprecated in response to repeated customer confusion. Instead, the “User Added to Privileged Group“ detection workflow was updated to support investigation and response to rogue accounts.
False Positives in Microsoft 365 - Our “Microsoft 365: Authentication Outside of U.S.“ and “Microsoft 365: Impossible Travel AAD Login“ detections were tuned to reduce false positive events related to users logged as “00000000-0000-0000-0000-000000000000.”
Fortigate Authentication Bypass Detection - The “Fortigate: Authentication Bypass CVE-2022-40684” detection workflow and analysis were updated to clarify the context of target log events and provide better investigation and response support in the workflow.

January 2025 Release Notes

In case you missed the January updates, you can find and review those notes here.

View full post