Summary
In July, we released an Azure Event Hubs Cloud Connector to provide improved cloud-based logging of the data you stream through an event hub, such as Entra or Defender logs. We also created a new Microsoft 365 global report and six new detection rules!
-
Azure Event Hubs Cloud Connector: Users of all Blumira editions can now use a Blumira Cloud Connector to integrate with Azure Event Hubs, including event hubs located in regions outside the United States. This updated integration replaces the original sensor-based integration so you can easily connect Blumira to your event hub for logging data from Azure Monitor, Microsoft Defender, Intune, or Entra.
-
New Global Report: The “Microsoft 365: Forwarding Rule Activity Previous 30 Days” report helps users to audit new rules that have recently been created within their Exchange Online tenant.
Detection Updates
| Log Type |
Detection Details |
| Azure AD Audit (Entra) |
NEW - Azure: Service Principal Creation By Service Principal
This new detection rule alerts when a Service Principal in Entra creates another Service Principal. Some Azure services and products can perform this as part of a managed service. Threat actors have been observed using this technique to gain persistence growing their foothold in Azure environments.
|
| Microsoft 365 Azure AD (Entra) |
NEW:
- Microsoft 365: Impossible Travel AAD Login - 500 to 999 miles
- Microsoft 365: Impossible Travel AAD Login - 1,000 to 2,000
These new detection rules, which are disabled by default, are similar to the “Microsoft 365: Impossible Travel AAD Login - 2,001 miles and higher” rule. When enabled, these trigger an alert when successful logins are detected between 500 to 999 miles apart within a 2-hour window or between 1,000 to 2,000 miles apart within a 4-hour window. 2,001 miles and higher still has a 6-hour window.
Note: Windowed detection rules are only available in paid Blumira editions.
|
| Google Workspace |
NEW - Google Workspace: 100 or More Drive Deletions in 15 Minutes
This new P3 Risk detection rule triggers when a single user’s deletion activity within Google Drive exceeds 100 files within a 15-minute window.
|
| Google Workspace |
Google Workspace: Suspicious Login Allowed
We renamed the “Google Workspace: Suspicious Login” detection rule to “Google Workspace: Suspicious Login Allowed” to clarify that it alerts on allowed activity that meets the suspicious behavior described here.
This rule is now deployed in a default-disabled state, so administrators of newly integrated accounts can choose to enable it.
|
| JumpCloud |
NEW - JumpCloud: User Created
When enabled, this new P3 Operational detection rule alerts when JumpCloud users are created. It is disabled by default.
|
| JumpCloud |
NEW - JumpCloud: User Deleted
When enabled, this new P3 Operational detection rule alerts when JumpCloud users are deleted. It is disabled by default.
|
| Multi-source |
Reconnaissance via Net Commands
Findings for this detection now include the parent.cmdline field in matched evidence when it exists in the log data.
|
| Multi-source |
Remote Access Tool: LogMeIn
This detection rule now includes logic to detect when the LogMeIn Rescue executable LMI_Rescue.exe is run.
|
May Release Notes
In case you missed the May updates, you can find and review those notes here.
