Skip to content
    May 5, 2025

    April 2025 Product Releases

    In April, we delivered a range of updates to improve detection accuracy, streamline our log integrations, and enhance the overall user experience. Highlights include improvements to our ConnectWise PSA integration for MSPs, new detections for suspicious file behavior and geo-based authentication anomalies across Microsoft 365, Google Workspace, and Windows, as well as updates to existing detections for better context and reduced false positives. We also rolled out several platform enhancements, including improved log access and a faster findings loading experience.

    Feature and Platform Updates

    ConnectWise PSA Integration: We made iterative improvements including simplifying company mapping for customers with custom statuses, improving loading states throughout the integration, allowing MSPs to enable or disable individual accounts during mapping, and adding the author’s name to notes sent to ConnectWise.

    Detection Updates

    Log Type Details
    Azure Active Directory NEW - Entra ID: User Access Administrator Role Granted at Root Scope

    This detection rule monitors for when the User Access Administrator role is granted at the root scope. This is a privileged role that has administrative control over Azure and Entra environments.

    Default state: Enabled
    Google Workspace NEW - Google Workspace: Login from Outside of Canada

    This detection rule triggers when a user logs in to Google Workspace from an IP address located outside of Canada.

    Default state: Disabled
    Microsoft 365 NEW - Microsoft 365: Authentication Outside of Australia

    This detection rule identifies authentication attempts to Microsoft 365 from IP addresses outside of Australia.

    Default state: Disabled
    Windows NEW - Suspicious Double Extension Shortcut (.LNK) File

    This detection rule monitors for the creation of files using a suspicious Windows shortcut extension that ends in .LNK. Threat actors often use this technique to disguise malicious payloads as harmless files in download attacks.

    Default state: Enabled
    NEW - Suspicious Execution of qwinsta.EXE

    This detection rule triggers when the qwinsta.exe command is executed in a suspicious context. Although it is a legitimate Windows command, it is frequently used by threat actors during the discovery phase of an attack.

    Default state: Enabled
    NEW - Suspicious Double Extension File Execution

    This detection rule identifies the process execution of files with names containing multiple extensions (e.g., report.pdf.exe). This tactic is commonly used by attackers to disguise malicious files appearing as legitimate ones.

    Default state: Enabled
    All Traffic Logs
    UPDATE - 500GB+ Outbound Connection via Generic Network Protocol

    We improved the accuracy of data transfer size calculations, reducing false positive matches.
    Carbon Black UPDATE - Carbon Black: Malicious HTA File

    We improved the logic of this rule to reduce false positive matches.
    Fortigate UPDATE - Fortigate: Failed Admin Login from External IP Address

    We fixed broken URL links in the detection workflow to ensure responders can access support documentation directly from the finding.
    Google Workspace UPDATE - Google Workspace: Login from Outside of Canada and Google Workspace: Login from Outside the U.S.

    We updated the detection logic to handle cases where the country value is null, improving detection accuracy.
    Microsoft 365
    UPDATE - Microsoft 365: Email Sending Limit Exceeded

    This detection will no longer generate a finding when an update is made to resolved incidents in Microsoft 365.
    UPDATE - Microsoft 365: New MFA Device Added

    We updated the workflow to improve clarity and to better guide responders based on the context provided in the finding.
    UPDATE - Microsoft 365: Suspicious Inbox Rule Creation

    We updated the workflow to allow responders to jump directly to "Confirmed Compromise" for faster resolution and initiation of incident response for confirmed compromises.
    UPDATE - Indicator: Microsoft 365 - User requested to release a quarantined message

    We updated the above original detection rule’s title so that is now “Microsoft 365: User Requested to Release a Quarantined Message,” and we updated the logic to account for Microsoft formatting changes that were causing the user field to be empty.
    Microsoft Defender UPDATE - Microsoft Defender for Endpoint: Suspicious PowerShell Command

    We updated the detection logic to account for recent changes in Microsoft log formats, which had been causing missed true positive matches.
    SonicWall UPDATE - SonicWall: 5 or More Login Failures in 15 Minutes

    We fixed a malformed placeholder in the analysis section that was preventing geographic location data from displaying correctly.
    Windows
    UPDATE - Suspicious Local Scheduled Task Created

    We added the parent.cmdline field to provide more context during review and investigation.
    UPDATE - PowerShell: Download Invocation

    We added the parent.cmdline field to provide more context during review and investigation.
    UPDATE - Rclone Execution via Command Line or PowerShell

    We improved the detection logic to better identify true positive events.
    UPDATE - File Launched via rundll OpenURL Function

    We updated the detection logic that was previously causing false positive findings for legitimate Lenovo software.
    UPDATE - UACMe Akagi Execution

    We updated the detection logic to avoid persistent false positive flags where akagi was seen in the file path.

    Bug Fixes and Improvements

    Improvements
    • Enhanced Log Access - We made parsing improvements to better enable customers' access to their Sophos XG logs when using Standard Syslog Protocol and SonicOS V7 firewall logs.
    • Findings Loading Experience - We made backend changes that improve the experience of loading findings.
    • Public API Finding Resolution Notes - We added findings' resolution notes to the data returned by our API for customers participating in the Public API beta.
    Bug Fixes
    • Global Report - We resolved a minor issue that was occasionally causing errors when running the “Blumira: Endpoints by Data Generated” global report.

    March 2025 Release Notes

    In case you missed the March updates, you can find and review those notes here.

    Tag(s): Product Updates

    Eric Pitt

    Eric is a Product Marketing Manager at Blumira focusing on customer research and positioning to continuously improve the Blumira platform.

    More from the blog

    View All Posts