Welcome to our security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we've made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we'll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you're lucky.
Introduction and Overview
Not all detections are meant to last a lifetime. Every now and then one is retired and replaced with new and exciting logic.
"Don't cry because it's over. Smile because it happened." Dr. Seuss
New Detections
This update introduces:
Azure: Potential Token Theft via Entra Device Code flow
When a Microsoft 365 request has been made to retrieve a Primary Refresh Token through a device code flow via the device registration service within Azure. This can be done as a normal part of a joining a machine to Entra ID. However, research has shown that this device registration service can be abused, for example through phishing attempts, to gain access to a user''s account and maintain it.
When a high number of Windows group enumeration events have been identified in your environment. This is likely related to legitimate administrative or automated service activity such as RMM tools, vulnerability scanners, or backup software. However, it should still be reviewed and confirmed as expected behavior by the responsible accounts. Threat actors may conduct similar reconnaissance when initially landing in an environment with a goal of understanding their permissions and to identify other, more highly privileged accounts. Current default threshold is 100 or more events in a 15 minute window.
Status: Enabled
Log type requirement: Windows
Deprecated Detections
Microsoft 365: MFA Device Registered Without Device Details
This detection will be replaced with several new MFA detections
Amanda Berlin is Lead Incident Detection Engineer at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An accomplished...
