We're excited to announce the availability of our new ConnectWise Professional Services Automation (PSA) Integration for MSPs, designed to automate security tasks and streamline workflows. Over the last month, we also added three new detection rules to our detection suite, along with various improvements to help streamline investigations, improve workflows, and enhance your security posture and simplify management.
Feature and Platform Updates
New ConnectWise PSA Integration: Blumira’s integration with ConnectWise PSA (formerly Manage) enables MSPs to receive Blumira finding notifications and updates directly in their ticketing system. This integration helps MSPs automate security tasks and reduce manual effort by merging related tickets, assigning priorities, and minimizing administrative work—allowing more time to focus on securing your customers. See our support article to learn more.
Field Sorting: When editing reports in Report Builder, fields now appear alphabetically in the dropdown menu for easier navigation to the fields you are most interested in.
Error Handling: We improved our error handling/messaging for when a user attempts to add a filter without selecting a data source in the Report Builder.
Detection Updates
| Log Type |
Detection Rule Name |
Details |
| Windows |
NEW - Disabled Account Attempted Login |
This detection rule monitors for failed Windows logins due to the targeted account being disabled. This may be related to legitimate activity, but is unusual in most environments and could be evidence of unauthorized access attempts. Additionally, multiple failed login attempts for the built-in "Guest" account should be considered suspicious, as this account is disabled by default in modern Windows systems and is commonly targeted by attackers during reconnaissance activities. Vulnerability scanners (such as Qualys or Nessus) may also generate findings.
Default state: Disabled |
| Injected Explorer Discovery Commands |
This rule was being triggered for legitimate administrative activity, so the logic has been improved. After reviewing data across our customer base, we reclassified it from a P2 Threat to a P3 Suspect. Automatic Host Isolation has been removed from this detection. |
| Windows or Blumira Agent for Windows |
NEW - Potential Exploitation of Cleo CVE-2024-55956 - Autorun File Artifacts |
This detection rule is triggered when file artifacts are detected matching those seen in active attacks related to Cleo CVE-2024-55956. For more information, see Vulnerabilities in Cleo Software Allow for Unauthenticated Remote Code Execution via CVE-2024-55956.
Default state: Enabled |
| MS365 AD/Entra |
NEW - Microsoft 365: New MFA Device Added |
This detection rule is triggered when at least one user registers an additional MFA method. This may be part of a natural onboarding or account reset procedure. Malicious actors have been known to add their own MFA devices under their control in order to maintain access to an account and respond to MFA prompts without user interaction.
Default state: Enabled |
| Blumira Agent |
Suspicious Process Parent |
This new P2 Threat detection triggers when one or more user accounts have failed AAA authentication at an excessive rate (5+ failed logins within an hour), which could indicate a brute force attack where word lists are used to guess username/password combinations. |
| Azure Entra |
Azure: Entra ID Global Admin Role Assignment** |
Updated to account for newer MS-PIM strings in the office365_aad log type to reduce false positive rates. |
| Google Workspace |
Google Workspace: Impossible Travel** |
This detection was updated to include more fields for detection filters. |
| Google Workspace: Potential Clear-Text Password** |
Updated to reduce its severity from a Threat to a P3 Risk to more accurately reflect its level of severity. |
| CrowdStrike |
All CrowdStrike Detections and Workflows |
Updated to utilize the new fields made available from the parser change in response to adoption of the GoFalcon SDK 9.0 release. |
Bug Fixes and Improvements
Improvements
- Cloud Connectors were validating fields inconsistently - Improper values were being recorded. Fields are now being validated correctly.
- Overly lengthy findings view - Findings with lengthy analysis would create very long rows in the findings view. Findings are now truncated to improve readability.
Bug Fixes
- Additional evidence stacking - Additional evidence sometimes failed to stack in findings. We fixed this bug, which affected findings generated between November 15, 2024, and January 6, 2025. All matched evidence now appears as expected in the app.
December 2024 Release Notes
In case you missed the November updates, you can find and review those notes here.
