Blumira Resources & Blog

January 2024 Product Releases | Blumira

Written by Faith Bradley | Feb 16, 2024 8:58:39 PM

Summary

In January, we introduced two new Cloud Connector integrations–JumpCloud and OneLogin–so users can begin sending those logs to Blumira to meet compliance needs. We also added a new detection rule to help monitor the health of Microsoft 365 Cloud Connectors and alert when logs are not received in Blumira.

Feature and Platform Updates

New Cloud Connectors: We added JumpCloud and OneLogin Cloud Connectors, both of which can be configured for log ingestion to meet your organization’s compliance needs. Log parsing for detailed reporting and detection capabilities will be released in the near future.

Detection Updates

Log Type Detection Rule Name Details
Fortigate System/VPN Fortigate: Authentication Bypass CVE-2022-40684 We updated this detection rule to reduce false positive events, and we added more logic to capture updated IOCs and additional fields to support detection filters.
HTTP Access (Apache/IIS/NginX) CVE-2023-34362: MoveIT Indicator of Compromise We updated this detection rule’s logic to reduce false positives caused by standard MoveIT activity.
Microsoft 365 Microsoft 365: Impossible Travel AAD Login This existing detection rule now includes a tip to run “Microsoft 365 – Azure AD: Login Report” in the app to review the agents related to the detected activity.
Microsoft365 Azure AD NEW – Potential Issue with Microsoft to Blumira Log Flow This operational detection alerts you when the client secret has expired in your Microsoft 365 Cloud Connector and logs are no longer being sent to Blumira.
Multi-source Nltest Domain Enumeration We improved this detection rule by adding logic to capture parent_domain nltest invocations as well as command invocation of nltest or process_name like nltest.
Okta Okta: Log Failure This operational detection rule now includes logic to alert you if your Okta logs have stopped flowing to Blumira when either 401 or 403 errors appear in the Okta logs. This indicates that the integration has failed due to invalid credentials, which must be regenerated then updated in your Okta sensor module in the app.

 

Bug Fixes and Improvements

We have improved some labels within Report Builder to help users edit their reports easily and find the full list of available columns, which were previously hard to find.

December Highlights

In case you missed the December updates, you can find and review those notes here.