Share on:


In April, we announced Blumira Investigate, a tool that simplifies incident response by extending visibility across your correlated data. We also introduced SAML single sign-on (SSO) and released an updated version of our Poshim script for Windows integrations. Upon learning about emerging Palo Alto and Cisco vulnerabilities, we quickly built global reports that help with monitoring threats.

Feature and Platform Updates

  • Blumira Investigate: Starting with a simple piece of evidence—such as a username, IP address, or process name—you can conduct one quick search to unlock correlated event information in your data and view a timeline of results. Perform investigations with less time spent on building the right report query. Blumira Investigate is included in Blumira’s SIEM+ and XDR solutions. Read more about its benefits and use cases here.

  • SAML SSO: Organizations on supported licenses can now configure single sign-on for their users to authenticate with the security of SAML-supported identity providers. See more details in Configuring SSO for your organization.

  • Poshim: The PowerShell shim (Poshim) script used for automating Windows integrations now includes an upgrade to Sysmon version 15.14.

  • Emerging Threat Reports:

    • After Palo Alto detailed the vulnerability in CVE-2024-3400, we released two new reports to help users look for known threat actors in their environments:

      • Palo Alto: Allowed Inbound Traffic From IPs Associated With CVE-2024-3400

      • Palo Alto: Allowed Outbound Traffic From IPs Associated With CVE-2024-3400

    • In response to the Arcane Door activity discovered in Cisco ASA VPNs, we released the report “Cisco ASA: ArcaneDoor Activity Audit” to help users look for indicators of compromise.

Detection Updates

You don’t have to wait! Our blog series of Security Detection Updates provides details about new detections we add each week. Here is the rundown of last month, plus some extras not mentioned in the blog:

Log TypeDetection Details
Azure Entra Directory AuditNEW - Azure: Privileged Graph API Role Assignment

This new detection alerts on the assignment of specific Graph API roles. These roles can be used for standard administrative activity, but they can also be leveraged by attackers to exfiltrate data, modify users, and make other admin-level alterations to your Entra directory.
Blumira Agent and WindowsNEW - Decimal Character Encoded Command

This new detection rule alerts on the use of decimal character encoded commands in CMD prompt or PowerShell, a tactic that is used by threat actors to obfuscate their commands and evade detection. Some administrators may also intentionally use this functionality, but it is extremely uncommon. For more information see How to decode a decimal encoded command.
Blumira Agent and WindowsNEW - Registry Value Tampering: RestrictedAdmin Mode Enabled

This detection rule is disabled by default. RestrictedAdmin mode is disabled by default on most systems. Threat actors have been observed enabling RestrictedAdmin mode to bypass RDP MFA controls or steal and reuse credential hashes. However, some administrators may choose to enable RestrictedAdmin mode as a part of their security controls. All changes to RestrictedAdmin mode should be authorized in advance and, therefore, expected. Investigate any unauthorized, unexpected changes. For more information, see our blog post Why are Threat Actors enabling Windows Restricted Admin mode?
Blumira Agent and WindowsNEW - VSSAdmin Shadow Copy Deletion Command

This new detection rule triggers when a device logs that a command was run to delete shadow copies. While this command may have been legitimately issued by an administrator, it should be investigated and verified to have been run intentionally by an approved user or application. Monitor shadow copy deletion commands to identify unauthorized or malicious activity by threat actors, who have been observed deleting shadow copies after data exfiltration to inhibit the recovery of encrypted systems and/or data.
Duo AdminNEW - Duo: Bypass Code Created

This default-disabled detection alerts when a user creates a bypass code, which can legitimately be due to not having the MFA device after losing or replacing it. Or it could be a bad actor attempting to bypass MFA requirements or creating an additional authentication option under their control.
Google WorkspaceNEW - Google Workspace: Custom Admin Role Created

This new detection rule triggers when a custom administrator role is created in Google Workspace. Users may create these roles for legitimate reasons, as organizations may prefer to limit the scope of certain default roles or avoid their use entirely. Threat Actors may leverage custom admin roles to maintain persistence in an environment and attempt to avoid detection.
Meraki System EventsNEW - Cisco Meraki: System Failover Event

This default-disabled detection alerts when a device logs a Cisco Meraki failover event. If failovers are happening frequently, it may indicate a persistent issue that needs to be addressed. For more information about Meraki failover events, see Meraki’s Routed HA Failover Behavior.
Microsoft365 Azure ADNEW - Microsoft 365: MFA Device Registered Without Device Details

This new detection alerts when a new device has been registered for at least one of your users in Microsoft 365 and doesn't contain any device details. This could be normal activity like a user adding an alternate authenticator app that isn’t using the Microsoft Authenticator, such as Duo Security, 1Password, etc. It could instead be a Threat Actor attempting to add an MFA option that they control, in order to satisfy MFA requirements in Microsoft 365 environments.
SonicWall TrafficNEW - SonicWall: Configuration Change

This new default-disabled detection rule alerts when a SonicWall device logs a configuration change.
Azure ADAzure AD: Anomalous Agent Sign-In Activity

We updated the logic of this detection rule to remove blocked sign-ins from results, because they are not actionable.
Microsoft 365Microsoft 365: Suspicious Inbox Rule Creation

We adjusted the window of time in which new matches for this rule are stacked together so that events occurring within one hour stack together in the same finding. This change may help to separate unrelated events that occur over time, which was happening in the previously-set four-hour cooldown window.
Microsoft 365Microsoft 365 Alert Policy: Creation of forwarding/redirect rule

We updated the guidance in these findings to match changes in Microsoft so that users can easily navigate to and review the right areas of their Security and Compliance centers.
Microsoft 365Modification of Microsoft 365 Group

We added group information to the evidence for these findings to improve the data available for investigation. Group details can be found in the info field.
Microsoft Defender ATPMicrosoft Defender for Endpoint: Suspicious Service Launch

We updated the entire analysis and playbook’s guidance to provide a better investigation experience for Responders who work these findings.
Microsoft WindowsStartup Folder LNK File

We added user and devname to the finding’s analysis so users can quickly see in their alerts which user and device the activity relates to.
Multi-SourceTelnet Connection from Public IP

We added these additional fields to the evidence in findings triggered by this detection rule:

Bug Fixes and Improvements

To provide more context and point of reference, we added the following information to finding emails:

  • Finding ID, which quickly identifies the unique finding

  • Data Source, which corresponds to the integration that the event came through

March Highlights

Want to look back at our March Product updates? Check those out here.

Security news and stories right to your inbox!