Skip to content
    November 12, 2024

    October 2024 Product Release Notes

    Summary

    This October, we're excited to bring you enhanced security with our CrowdStrike Cloud Connector, streamlined operations for MSPs with Bulk Rule Management, improved access monitoring via SonicWall SMA integration, and a more efficient Blumira Agent device list. These updates are designed to boost your security posture and simplify management.

    Feature and Platform Updates

    CrowdStrike Cloud Connector Integration: Blumira has launched a new CrowdStrike Cloud Connector, seamlessly integrating with CrowdStrike's Falcon Endpoint Protection platform. This integration enables real-time streaming of server and workstation endpoint security events and alerts to Blumira's detection and response system, enhancing overall security posture. This integration is available for all Blumira editions, including Free SIEM.

    Bulk Rule Management for MSPs: Blumira has released Bulk Rule Management, a feature of our MSP Portal that increases visibility into all detection rules, while saving you time managing and configuring detections across all of your client accounts.

    Sonicwall SMA Integration: SonicWall SMA appliances provide secure access-including clientless access to web applications, access to client/server applications, and file sharing-to employees, business partners, and customers. All traffic is encrypted using Secure Sockets Layer (SSL) to protect it from unauthorized users. The appliance makes applications available from a range of access methods-including a standard Web browser, a client application (example, Connect Tunnel), or a mobile device app-on a wide range of platforms including Windows, MacOS, Linux, and mobile devices.

    Blumira Agent Device List Enhancement: We have optimized the Blumira Agent device page to display up to 250 Agents per page, significantly improving navigation efficiency for organizations managing large-scale agent deployments.

    Detection Updates

    Log Type Detection Details

    Audit

    When a new Restricted Management Administrative Unit has been created in your environment. While Administrative Units can be created legitimately by administrators, threat actors could leverage Restricted Management Administrative Units to help set up backdoor access to an Entra directory.

    Default state: Enabled

    Fortigate Event

    NEW - FortiGate: FortiManager CVE-2024-47575 Missing authentication in fgfmsd

    This CVE has been assigned a CVSSv3 score of 9.8 (Critical) as it can allow a remote unauthenticated attacker the ability to execute arbitrary code or commands via specially crafted requests.

    The log entry IOCs being monitored for are

    msg="Unregistered device localhost add succeeded"

    changes="Edited device settings (SN FMG-VMTM23017412)

    Default state: Enabled

    Blumira Agent, Windows

    NEW - Driver Integrity Checks Disabled via bcdedit

    These commands will allow unsigned drivers to run on a host. Administrators may use these commands legitimately to troubleshoot driver compatibility conflicts or for driver development and testing, however this is uncommon. Threat actors have been observed abusing these commands in order to run unsigned and malicious or vulnerable drivers.

    Default state: Enabled

    GCP Cloud Audit

    NEW - Google Cloud Platform: Potential Cross Project Image Exfiltration

    When a compute image has been copied into a destination project from a different source project within your Google Cloud Platform tenant. These events can be cause by legitimate activity. It is possible that this could be the first in a chain of events that can allow a sensitive compute image to be exfiltrated outside of your Google Cloud Platform tenant. This initial step could be an attempt to avoid suspicion by copying the image to a more permissive or less observed project before performing a copy to an external storage solution or cloud-based bucket.

    Default state: Enabled

    Blumira Agent, Windows

    NEW - Suspicious Execution of Windows 'cipher' Command

    This tool may be used legitimately to display or alter the encryption of directories and files on NTFS volumes. Threat actors have been observed abusing this tool as a precursor to ransomware deployment. This detection specifically looks for cipher being run with the /w parameter against a specific drive (ex.cipher /w:\\?\C:) - a malicious tactic observed in the wild.

    Default state: Enabled

    All Traffic Logs

    50GB+ Outbound Connection via Generic Network Protocol

    This has been reworked to reduce false positives and more accurately judge network transfer sizes.

    All Traffic Logs

    50GB+ Outbound Connection via Generic Network Protocol

    This has been reworked to reduce false positives and more accurately judge network transfer sizes.

    ASA System

    ASA WebVPN Anomalous Access Attempts

    Existing logic had a bug where obscured usernames failed to generate findings. Updated logic accounts for this. Analysis updated and workflow reworked. Global Reports created for responders.

    Blumira Agent, Windows

    Suspicious SPN Enumeration

    Updating title from "Suspicious SPN Enumeration" to "Suspicious SPN Enumeration via Setspn" to specify Suspicious SPN Enumeration by the setspn tool.

    Windows

    Potential Credential Access via DCSync

    This detection was broken and will be repaired in this release. While it is default disabled, some customers with it enabled may start receiving Findings in response to the repair.

    Windows

    • Null Session Activity - Large Amount of Total Authentications (windowed)

    • Null Session Authentication by known Attack Tool (windowed)

    • Null Session Activity (windowed)

    Null Session detections had minor changes to analysis phrasing.

    All Traffic Logs

    RDP Connection from Public IP

    This is now a real-time detection.

    Azure Signin

    Azure Identity Protection Risky Sign-in All and High

    We have updated the analysis and fields to include the creation_time to give responders more context when investigating.

    September Release Notes

    In case you missed the September updates, you can find and review those notes here.

    More from the blog

    View All Posts