We're excited to announce the availability of our new ConnectWise Professional Services Automation (PSA) Integration for MSPs, designed to automate security tasks and streamline workflows. Over the last month, we also added three new detection rules to our detection suite, along with various improvements to help streamline investigations, improve workflows, and enhance your security posture and simplify management.
| Log Type | Detection Rule Name | Details |
|---|---|---|
| Windows | NEW - Disabled Account Attempted Login | This detection rule monitors for failed Windows logins due to the targeted account being disabled. This may be related to legitimate activity, but is unusual in most environments and could be evidence of unauthorized access attempts. Additionally, multiple failed login attempts for the built-in "Guest" account should be considered suspicious, as this account is disabled by default in modern Windows systems and is commonly targeted by attackers during reconnaissance activities. Vulnerability scanners (such as Qualys or Nessus) may also generate findings. Default state: Disabled |
| Injected Explorer Discovery Commands | This rule was being triggered for legitimate administrative activity, so the logic has been improved. After reviewing data across our customer base, we reclassified it from a P2 Threat to a P3 Suspect. Automatic Host Isolation has been removed from this detection. | |
| Windows or Blumira Agent for Windows | NEW - Potential Exploitation of Cleo CVE-2024-55956 - Autorun File Artifacts | This detection rule is triggered when file artifacts are detected matching those seen in active attacks related to Cleo CVE-2024-55956. For more information, see Vulnerabilities in Cleo Software Allow for Unauthenticated Remote Code Execution via CVE-2024-55956. Default state: Enabled |
| MS365 AD/Entra | NEW - Microsoft 365: New MFA Device Added | This detection rule is triggered when at least one user registers an additional MFA method. This may be part of a natural onboarding or account reset procedure. Malicious actors have been known to add their own MFA devices under their control in order to maintain access to an account and respond to MFA prompts without user interaction. Default state: Enabled |
| Blumira Agent | Suspicious Process Parent | This new P2 Threat detection triggers when one or more user accounts have failed AAA authentication at an excessive rate (5+ failed logins within an hour), which could indicate a brute force attack where word lists are used to guess username/password combinations. |
| Azure Entra | Azure: Entra ID Global Admin Role Assignment** | Updated to account for newer MS-PIM strings in the office365_aad log type to reduce false positive rates. |
| Google Workspace | Google Workspace: Impossible Travel** | This detection was updated to include more fields for detection filters. |
| Google Workspace: Potential Clear-Text Password** | Updated to reduce its severity from a Threat to a P3 Risk to more accurately reflect its level of severity. | |
| CrowdStrike | All CrowdStrike Detections and Workflows | Updated to utilize the new fields made available from the parser change in response to adoption of the GoFalcon SDK 9.0 release. |
In case you missed the November updates, you can find and review those notes here.