August 8, 2024

July 2024 Product Release Notes

Summary

In July, we released an Azure Event Hubs Cloud Connector to provide improved cloud-based logging of the data you stream through an event hub, such as Entra or Defender logs. We also created a new Microsoft 365 global report and six new detection rules!

Feature and Platform Updates

Azure Event Hubs Cloud Connector: Users of all Blumira editions can now use a Blumira Cloud Connector to integrate with Azure Event Hubs, including event hubs located in regions outside the United States. This updated integration replaces the original sensor-based integration so you can easily connect Blumira to your event hub for logging data from Azure Monitor, Microsoft Defender, Intune, or Entra.
New Global Report: The “Microsoft 365: Forwarding Rule Activity Previous 30 Days” report helps users to audit new rules that have recently been created within their Exchange Online tenant.

Detection Updates

Log Type	Detection Details
Azure AD Audit (Entra)	NEW - Azure: Service Principal Creation By Service Principal This new detection rule alerts when a Service Principal in Entra creates another Service Principal. Some Azure services and products can perform this as part of a managed service. Threat actors have been observed using this technique to gain persistence growing their foothold in Azure environments.
Microsoft 365 Azure AD (Entra)	NEW: Microsoft 365: Impossible Travel AAD Login - 500 to 999 miles Microsoft 365: Impossible Travel AAD Login - 1,000 to 2,000 These new detection rules, which are disabled by default, are similar to the “Microsoft 365: Impossible Travel AAD Login - 2,001 miles and higher” rule. When enabled, these trigger an alert when successful logins are detected between 500 to 999 miles apart within a 2-hour window or between 1,000 to 2,000 miles apart within a 4-hour window. 2,001 miles and higher still has a 6-hour window. Note: Windowed detection rules are only available in paid Blumira editions.
Google Workspace	NEW - Google Workspace: 100 or More Drive Deletions in 15 Minutes This new P3 Risk detection rule triggers when a single user’s deletion activity within Google Drive exceeds 100 files within a 15-minute window.
Google Workspace	Google Workspace: Suspicious Login Allowed We renamed the “Google Workspace: Suspicious Login” detection rule to “Google Workspace: Suspicious Login Allowed” to clarify that it alerts on allowed activity that meets the suspicious behavior described here. This rule is now deployed in a default-disabled state, so administrators of newly integrated accounts can choose to enable it.
JumpCloud	NEW - JumpCloud: User Created When enabled, this new P3 Operational detection rule alerts when JumpCloud users are created. It is disabled by default.
JumpCloud	NEW - JumpCloud: User Deleted When enabled, this new P3 Operational detection rule alerts when JumpCloud users are deleted. It is disabled by default.
Multi-source	Reconnaissance via Net Commands Findings for this detection now include the `parent.cmdline` field in matched evidence when it exists in the log data.
Multi-source	Remote Access Tool: LogMeIn This detection rule now includes logic to detect when the LogMeIn Rescue executable `LMI_Rescue.exe` is run.