Summary
This October, we're excited to bring you enhanced security with our CrowdStrike Cloud Connector, streamlined operations for MSPs with Bulk Rule Management, improved access monitoring via SonicWall SMA integration, and a more efficient Blumira Agent device list. These updates are designed to boost your security posture and simplify management.
CrowdStrike Cloud Connector Integration: Blumira has launched a new CrowdStrike Cloud Connector, seamlessly integrating with CrowdStrike's Falcon Endpoint Protection platform. This integration enables real-time streaming of server and workstation endpoint security events and alerts to Blumira's detection and response system, enhancing overall security posture. This integration is available for all Blumira editions, including Free SIEM.
Bulk Rule Management for MSPs: Blumira has released Bulk Rule Management, a feature of our MSP Portal that increases visibility into all detection rules, while saving you time managing and configuring detections across all of your client accounts.
Sonicwall SMA Integration: SonicWall SMA appliances provide secure access-including clientless access to web applications, access to client/server applications, and file sharing-to employees, business partners, and customers. All traffic is encrypted using Secure Sockets Layer (SSL) to protect it from unauthorized users. The appliance makes applications available from a range of access methods-including a standard Web browser, a client application (example, Connect Tunnel), or a mobile device app-on a wide range of platforms including Windows, MacOS, Linux, and mobile devices.
Blumira Agent Device List Enhancement: We have optimized the Blumira Agent device page to display up to 250 Agents per page, significantly improving navigation efficiency for organizations managing large-scale agent deployments.
Detection Updates
| Log Type |
Detection Details |
|
Audit
|
When a new Restricted Management Administrative Unit has been created in your environment. While Administrative Units can be created legitimately by administrators, threat actors could leverage Restricted Management Administrative Units to help set up backdoor access to an Entra directory.
Default state: Enabled
|
|
Fortigate Event
|
NEW - FortiGate: FortiManager CVE-2024-47575 Missing authentication in fgfmsd
This CVE has been assigned a CVSSv3 score of 9.8 (Critical) as it can allow a remote unauthenticated attacker the ability to execute arbitrary code or commands via specially crafted requests.
The log entry IOCs being monitored for are
msg="Unregistered device localhost add succeeded"
changes="Edited device settings (SN FMG-VMTM23017412)
Default state: Enabled
|
|
Blumira Agent, Windows
|
NEW - Driver Integrity Checks Disabled via bcdedit
These commands will allow unsigned drivers to run on a host. Administrators may use these commands legitimately to troubleshoot driver compatibility conflicts or for driver development and testing, however this is uncommon. Threat actors have been observed abusing these commands in order to run unsigned and malicious or vulnerable drivers.
Default state: Enabled
|
|
GCP Cloud Audit
|
NEW - Google Cloud Platform: Potential Cross Project Image Exfiltration
When a compute image has been copied into a destination project from a different source project within your Google Cloud Platform tenant. These events can be cause by legitimate activity. It is possible that this could be the first in a chain of events that can allow a sensitive compute image to be exfiltrated outside of your Google Cloud Platform tenant. This initial step could be an attempt to avoid suspicion by copying the image to a more permissive or less observed project before performing a copy to an external storage solution or cloud-based bucket.
Default state: Enabled
|
|
Blumira Agent, Windows
|
NEW - Suspicious Execution of Windows 'cipher' Command
This tool may be used legitimately to display or alter the encryption of directories and files on NTFS volumes. Threat actors have been observed abusing this tool as a precursor to ransomware deployment. This detection specifically looks for cipher being run with the /w parameter against a specific drive (ex.cipher /w:\\?\C:) - a malicious tactic observed in the wild.
Default state: Enabled
|
|
All Traffic Logs
|
50GB+ Outbound Connection via Generic Network Protocol
This has been reworked to reduce false positives and more accurately judge network transfer sizes.
|
|
All Traffic Logs
|
50GB+ Outbound Connection via Generic Network Protocol
This has been reworked to reduce false positives and more accurately judge network transfer sizes.
|
|
ASA System
|
ASA WebVPN Anomalous Access Attempts
Existing logic had a bug where obscured usernames failed to generate findings. Updated logic accounts for this. Analysis updated and workflow reworked. Global Reports created for responders.
|
|
Blumira Agent, Windows
|
Suspicious SPN Enumeration
Updating title from "Suspicious SPN Enumeration" to "Suspicious SPN Enumeration via Setspn" to specify Suspicious SPN Enumeration by the setspn tool.
|
|
Windows
|
Potential Credential Access via DCSync
This detection was broken and will be repaired in this release. While it is default disabled, some customers with it enabled may start receiving Findings in response to the repair.
|
|
Windows
|
-
Null Session Activity - Large Amount of Total Authentications (windowed)
-
Null Session Authentication by known Attack Tool (windowed)
-
Null Session Activity (windowed)
Null Session detections had minor changes to analysis phrasing.
|
|
All Traffic Logs
|
RDP Connection from Public IP
This is now a real-time detection.
|
|
Azure Signin
|
Azure Identity Protection Risky Sign-in All and High
We have updated the analysis and fields to include the creation_time to give responders more context when investigating.
|
September Release Notes
In case you missed the September updates, you can find and review those notes here.
