Summary
In November, we announced the availability of a new Cloud Connector for all users, including Free SIEM – Microsoft Defender for Cloud Apps; a Synology parser integration; and various improvements to help streamline investigations, improve workflows, and enhance our users' overall experience managing security with Blumira.
New Cloud Connector Integration: Microsoft Defender for Cloud Apps is a multipurpose software as a service (SaaS) security solution that combines security posture management, data loss prevention, app-to-app protection, and integrated threat protection to monitor cloud app activity, help protect data, and prevent threats. Now, you can easily enable Blumira's Cloud Connector to monitor your cloud app activity using Microsoft Defender for Cloud Apps. This is available to all users, including Free SIEM. See our support article to learn more.
New Parser Integration: Network-attached storage (NAS) provides a centralized location on a network to store data. Synology’s NAS allows users to build a private cloud to store, access, back up, and share files freely and securely. A Synology parser has been released and is available to users with access to sensor integrations (SIEM+ and XDR Platform). Learn more about Blumira sensors.
Rule Clean-Up: If an account stops receiving logs for at least six months, we will remove the detection rules related to those obsolete logs to help clean up the Detection Rules page and make it obvious which rules are still relevant in the account.
Finding Evidence: Finding evidence is now available in one table as it updates, helping users easily find all the data they need and reducing time required to track it down, useful for investigations.
Blumira Agent: We added install key names to the Blumira Agent device list to help you easily identify which install key was used for any specific agent device.
Detection Updates
| Log Type |
Detection Details |
|
Windows or Blumira Agent for Windows
|
NEW - Midnight Blizzard Suspicious RDP File Created
A detection to find those sneaky Midnight Blizzard IoCs! If you hadn't heard, there have been active campaigns from the Russian threat actor group "Midnight Blizzard" who have been sending targeted phishing campaigns with .rdp files that would expose sensitive information by mapping local resources to a remote server.
Default state: Enabled
|
|
Azure Authentication
|
NEW - Azure: Potential Token Theft via Entra Device Code Flow
This detects when a Microsoft 365 request has been made to retrieve a primary refresh token through a device code flow via the device registration service within Azure. This can be done as a normal part of joining a machine to Entra ID. However, research has shown that this device registration service can be abused, for example, through phishing attempts to gain and maintain access to a user's account.
Default state: Enabled
|
|
MS365 Sharepoint
|
NEW - MS365 Sharepoint: 500 or More File Deletions in 15 Minutes
This detects when 500+ file deletion events in a timeframe of 15 minutes have been observed in a specific Sharepoint site. It provides information on the total number of file deletions that were observed in Sharepoint by a specific user. We provide a finding on any anomalous user behavior that you may want to investigate further.
Default state: Disabled
|
|
Windows
|
NEW - High Number of Windows Group Enumeration Events
This detection notifies you when a high number of Windows group enumeration events have been identified in your environment. This could be related to legitimate administrative or automated service activity. However, we recommend that you still review and confirm the behavior is expected by the responsible accounts. Threat actors may conduct similar reconnaissance, or discovery, when initially landing in an environment with a goal of understanding their permissions and to identify other, more highly privileged accounts. The current default threshold is 100 or more events within a 15 minute window.
Default state: Enabled
|
|
All firewall types
|
SMB Connection from Public IP
We updated this detection’s behavior so that it does not automatically block threats as part of our dynamic blocklist feature. Users will need to manually block IPs detected as threats in these findings. We also updated the logic to exclude Netscaler, which was producing false positive matches.
|
|
CrowdStrike
|
CrowdStrike Detections v2
We made temporary updates to CrowdStrike detections to improve the workflow and analysis. The intermediary SDK released by CrowdStrike didn’t provide the most useful information in the logs. V3 updates will come after additional parsing changes are rolled out with this new SDK.
|
|
Duo Auth
|
Duo: High Number of MFA Requests
A low number of MFA requests used to trigger this detection due to a parsing issue. This detection has been updated to be more accurate in counts.
|
|
Office/Azure Active Directory Audit
|
Azure: Entra ID Global Admin Role Assignment & Azure: Entra ID Global Admin Role Assignment by PIM/GDAP
Both detections were updated to be more accurate and reduce false positives.
|
|
Office/Azure Active Directory Audit
|
Azure AD: Anomalous Agent Sign-In Activity
This detection has been updated to reduce the false positive rate.
|
|
Office/Azure Active Directory Audit
|
Microsoft 365: MFA Device Registered Without Device Details
This detection will be replaced with several new MFA detections
|
|
All firewall types
|
Internal Reconnaissance - All Connections
Updated to be more accurate and reduce false positives.
|
Bug Fixes and Improvements
Our Cloud Connectors are now listed in alphabetical order! Additional improvements include:
- Blocklist Feature Improvements
- Expired entries removed - Blocks that have expired were causing issues with the blocklist feature. Some customers are getting up to 20,000 items in their blocklist table which prevents them from searching or seeing all of their blocks.
- Allowlists were sometimes being ignored - When you set an allowlist, the feature will work as expected.
- Community tags always populate now - We love our community and glad you do too! Community dynamic blocklists (DBLs) allow you to use our collective brain power and block traffic based off of other Blumira customers’ entries.
- Automated flag wasn’t working - This could cause confusion if a user creates a block manually and then it is overwritten by an automated block. Now user blocks always override the automatic ones.
- Ignoring private ranges - Automated blocks will no longer be applied to private IP addresses. You can still add them manually if you want to.
- Resolving Example Findings - This only worked up until you generated a real one. Now all example findings will be resolved.
- Detection Filter (DF) Improvement - When evidence is updated in findings, the new columns that show up were not available to create DFs on. That has now been rectified.
October Release Notes
In case you missed the October updates, you can find and review those notes here.
