Blumira Resources & Blog

July 2024 Product Release Notes

Written by Faith Bradley | Aug 8, 2024 5:07:13 PM

Summary

In July, we released an Azure Event Hubs Cloud Connector to provide improved cloud-based logging of the data you stream through an event hub, such as Entra or Defender logs. We also created a new Microsoft 365 global report and six new detection rules!

Feature and Platform Updates

  • Azure Event Hubs Cloud Connector: Users of all Blumira editions can now use a Blumira Cloud Connector to integrate with Azure Event Hubs, including event hubs located in regions outside the United States. This updated integration replaces the original sensor-based integration so you can easily connect Blumira to your event hub for logging data from Azure Monitor, Microsoft Defender, Intune, or Entra.

  • New Global Report: The “Microsoft 365: Forwarding Rule Activity Previous 30 Days” report helps users to audit new rules that have recently been created within their Exchange Online tenant.

Detection Updates

Log Type Detection Details
Azure AD Audit (Entra)

NEW - Azure: Service Principal Creation By Service Principal

This new detection rule alerts when a Service Principal in Entra creates another Service Principal. Some Azure services and products can perform this as part of a managed service. Threat actors have been observed using this technique to gain persistence growing their foothold in Azure environments.

Microsoft 365 Azure AD (Entra)

NEW:

  • Microsoft 365: Impossible Travel AAD Login - 500 to 999 miles
  • Microsoft 365: Impossible Travel AAD Login - 1,000 to 2,000

These new detection rules, which are disabled by default, are similar to the “Microsoft 365: Impossible Travel AAD Login - 2,001 miles and higher” rule. When enabled, these trigger an alert when successful logins are detected between 500 to 999 miles apart within a 2-hour window or between 1,000 to 2,000 miles apart within a 4-hour window. 2,001 miles and higher still has a 6-hour window.

Note: Windowed detection rules are only available in paid Blumira editions.

Google Workspace

NEW - Google Workspace: 100 or More Drive Deletions in 15 Minutes

This new P3 Risk detection rule triggers when a single user’s deletion activity within Google Drive exceeds 100 files within a 15-minute window.

Google Workspace

Google Workspace: Suspicious Login Allowed

We renamed the “Google Workspace: Suspicious Login” detection rule to “Google Workspace: Suspicious Login Allowed” to clarify that it alerts on allowed activity that meets the suspicious behavior described here.

This rule is now deployed in a default-disabled state, so administrators of newly integrated accounts can choose to enable it.

JumpCloud

NEW - JumpCloud: User Created

When enabled, this new P3 Operational detection rule alerts when JumpCloud users are created. It is disabled by default.

JumpCloud

NEW - JumpCloud: User Deleted

When enabled, this new P3 Operational detection rule alerts when JumpCloud users are deleted. It is disabled by default.

Multi-source

Reconnaissance via Net Commands

Findings for this detection now include the parent.cmdline field in matched evidence when it exists in the log data.

Multi-source

Remote Access Tool: LogMeIn

This detection rule now includes logic to detect when the LogMeIn Rescue executable LMI_Rescue.exe is run.

May Release Notes

In case you missed the May updates, you can find and review those notes here.