Back to BlogApril 2024 Releases
Summary
In April, we announced Blumira Investigate, a tool that simplifies incident response by extending visibility across your correlated data. We also introduced SAML single sign-on (SSO) and released an updated version of our Poshim script for Windows integrations. Upon learning about emerging Palo Alto and Cisco vulnerabilities, we quickly built global reports that help with monitoring threats.
Feature and Platform Updates
-
Blumira Investigate: Starting with a simple piece of evidence—such as a username, IP address, or process name—you can conduct one quick search to unlock correlated event information in your data and view a timeline of results. Perform investigations with less time spent on building the right report query. Blumira Investigate is included in Blumira’s SIEM+ and XDR solutions. Read more about its benefits and use cases here.
-
SAML SSO: Organizations on supported licenses can now configure single sign-on for their users to authenticate with the security of SAML-supported identity providers. See more details in Configuring SSO for your organization.
-
Poshim: The PowerShell shim (Poshim) script used for automating Windows integrations now includes an upgrade to Sysmon version 15.14.
-
Emerging Threat Reports:
-
After Palo Alto detailed the vulnerability in CVE-2024-3400, we released two new reports to help users look for known threat actors in their environments:
-
Palo Alto: Allowed Inbound Traffic From IPs Associated With CVE-2024-3400
-
Palo Alto: Allowed Outbound Traffic From IPs Associated With CVE-2024-3400
-
-
In response to the Arcane Door activity discovered in Cisco ASA VPNs, we released the report “Cisco ASA: ArcaneDoor Activity Audit” to help users look for indicators of compromise.
-
Detection Updates
You don’t have to wait! Our blog series of Security Detection Updates provides details about new detections we add each week. Here is the rundown of last month, plus some extras not mentioned in the blog:
| Log Type | Detection Details |
|---|---|
| Azure Entra Directory Audit | NEW - Azure: Privileged Graph API Role Assignment This new detection alerts on the assignment of specific Graph API roles. These roles can be used for standard administrative activity, but they can also be leveraged by attackers to exfiltrate data, modify users, and make other admin-level alterations to your Entra directory. |
| Blumira Agent and Windows | NEW - Decimal Character Encoded Command This new detection rule alerts on the use of decimal character encoded commands in CMD prompt or PowerShell, a tactic that is used by threat actors to obfuscate their commands and evade detection. Some administrators may also intentionally use this functionality, but it is extremely uncommon. For more information see How to decode a decimal encoded command. |
| Blumira Agent and Windows | NEW - Registry Value Tampering: RestrictedAdmin Mode Enabled This detection rule is disabled by default. RestrictedAdmin mode is disabled by default on most systems. Threat actors have been observed enabling RestrictedAdmin mode to bypass RDP MFA controls or steal and reuse credential hashes. However, some administrators may choose to enable RestrictedAdmin mode as a part of their security controls. All changes to RestrictedAdmin mode should be authorized in advance and, therefore, expected. Investigate any unauthorized, unexpected changes. For more information, see our blog post Why are Threat Actors enabling Windows Restricted Admin mode? |
| Blumira Agent and Windows | NEW - VSSAdmin Shadow Copy Deletion Command This new detection rule triggers when a device logs that a command was run to delete shadow copies. While this command may have been legitimately issued by an administrator, it should be investigated and verified to have been run intentionally by an approved user or application. Monitor shadow copy deletion commands to identify unauthorized or malicious activity by threat actors, who have been observed deleting shadow copies after data exfiltration to inhibit the recovery of encrypted systems and/or data. |
| Duo Admin | NEW - Duo: Bypass Code Created This default-disabled detection alerts when a user creates a bypass code, which can legitimately be due to not having the MFA device after losing or replacing it. Or it could be a bad actor attempting to bypass MFA requirements or creating an additional authentication option under their control. |
| Google Workspace | NEW - Google Workspace: Custom Admin Role Created This new detection rule triggers when a custom administrator role is created in Google Workspace. Users may create these roles for legitimate reasons, as organizations may prefer to limit the scope of certain default roles or avoid their use entirely. Threat Actors may leverage custom admin roles to maintain persistence in an environment and attempt to avoid detection. |
| Meraki System Events | NEW - Cisco Meraki: System Failover Event This default-disabled detection alerts when a device logs a Cisco Meraki failover event. If failovers are happening frequently, it may indicate a persistent issue that needs to be addressed. For more information about Meraki failover events, see Meraki’s Routed HA Failover Behavior. |
| Microsoft365 Azure AD | NEW - Microsoft 365: MFA Device Registered Without Device Details This new detection alerts when a new device has been registered for at least one of your users in Microsoft 365 and doesn't contain any device details. This could be normal activity like a user adding an alternate authenticator app that isn’t using the Microsoft Authenticator, such as Duo Security, 1Password, etc. It could instead be a Threat Actor attempting to add an MFA option that they control, in order to satisfy MFA requirements in Microsoft 365 environments. |
| SonicWall Traffic | NEW - SonicWall: Configuration Change This new default-disabled detection rule alerts when a SonicWall device logs a configuration change. |
| Azure AD | Azure AD: Anomalous Agent Sign-In Activity We updated the logic of this detection rule to remove blocked sign-ins from results, because they are not actionable. |
| Microsoft 365 | Microsoft 365: Suspicious Inbox Rule Creation We adjusted the window of time in which new matches for this rule are stacked together so that events occurring within one hour stack together in the same finding. This change may help to separate unrelated events that occur over time, which was happening in the previously-set four-hour cooldown window. |
| Microsoft 365 | Microsoft 365 Alert Policy: Creation of forwarding/redirect rule We updated the guidance in these findings to match changes in Microsoft so that users can easily navigate to and review the right areas of their Security and Compliance centers. |
| Microsoft 365 | Modification of Microsoft 365 Group We added group information to the evidence for these findings to improve the data available for investigation. Group details can be found in the info field. |
| Microsoft Defender ATP | Microsoft Defender for Endpoint: Suspicious Service Launch We updated the entire analysis and playbook’s guidance to provide a better investigation experience for Responders who work these findings. |
| Microsoft Windows | Startup Folder LNK File We added user and devname to the finding’s analysis so users can quickly see in their alerts which user and device the activity relates to. |
| Multi-Source | Telnet Connection from Public IP We added these additional fields to the evidence in findings triggered by this detection rule: process_name command parent.cmdline parent_process_name |
Bug Fixes and Improvements
To provide more context and point of reference, we added the following information to finding emails:
-
Finding ID, which quickly identifies the unique finding
-
Data Source, which corresponds to the integration that the event came through
March Highlights
Want to look back at our March Product updates? Check those out here.