In July, we released an Azure Event Hubs Cloud Connector to provide improved cloud-based logging of the data you stream through an event hub, such as Entra or Defender logs. We also created a new Microsoft 365 global report and six new detection rules!
Azure Event Hubs Cloud Connector: Users of all Blumira editions can now use a Blumira Cloud Connector to integrate with Azure Event Hubs, including event hubs located in regions outside the United States. This updated integration replaces the original sensor-based integration so you can easily connect Blumira to your event hub for logging data from Azure Monitor, Microsoft Defender, Intune, or Entra.
New Global Report: The “Microsoft 365: Forwarding Rule Activity Previous 30 Days” report helps users to audit new rules that have recently been created within their Exchange Online tenant.
| Log Type | Detection Details |
|---|---|
| Azure AD Audit (Entra) |
NEW - Azure: Service Principal Creation By Service Principal This new detection rule alerts when a Service Principal in Entra creates another Service Principal. Some Azure services and products can perform this as part of a managed service. Threat actors have been observed using this technique to gain persistence growing their foothold in Azure environments. |
| Microsoft 365 Azure AD (Entra) |
NEW:
These new detection rules, which are disabled by default, are similar to the “Microsoft 365: Impossible Travel AAD Login - 2,001 miles and higher” rule. When enabled, these trigger an alert when successful logins are detected between 500 to 999 miles apart within a 2-hour window or between 1,000 to 2,000 miles apart within a 4-hour window. 2,001 miles and higher still has a 6-hour window. Note: Windowed detection rules are only available in paid Blumira editions. |
| Google Workspace |
NEW - Google Workspace: 100 or More Drive Deletions in 15 Minutes This new P3 Risk detection rule triggers when a single user’s deletion activity within Google Drive exceeds 100 files within a 15-minute window. |
| Google Workspace |
Google Workspace: Suspicious Login Allowed We renamed the “Google Workspace: Suspicious Login” detection rule to “Google Workspace: Suspicious Login Allowed” to clarify that it alerts on allowed activity that meets the suspicious behavior described here. This rule is now deployed in a default-disabled state, so administrators of newly integrated accounts can choose to enable it. |
| JumpCloud |
NEW - JumpCloud: User Created When enabled, this new P3 Operational detection rule alerts when JumpCloud users are created. It is disabled by default. |
| JumpCloud |
NEW - JumpCloud: User Deleted When enabled, this new P3 Operational detection rule alerts when JumpCloud users are deleted. It is disabled by default. |
| Multi-source |
Reconnaissance via Net Commands Findings for this detection now include the |
| Multi-source |
Remote Access Tool: LogMeIn This detection rule now includes logic to detect when the LogMeIn Rescue executable |
In case you missed the May updates, you can find and review those notes here.