In April, we delivered a range of updates to improve detection accuracy, streamline our log integrations, and enhance the overall user experience. Highlights include improvements to our ConnectWise PSA integration for MSPs, new detections for suspicious file behavior and geo-based authentication anomalies across Microsoft 365, Google Workspace, and Windows, as well as updates to existing detections for better context and reduced false positives. We also rolled out several platform enhancements, including improved log access and a faster findings loading experience.
Feature and Platform Updates
ConnectWise PSA Integration: We made iterative improvements including simplifying company mapping for customers with custom statuses, improving loading states throughout the integration, allowing MSPs to enable or disable individual accounts during mapping, and adding the author’s name to notes sent to ConnectWise.
Detection Updates
Log Type | Details |
---|---|
Azure Active Directory | NEW - Entra ID: User Access Administrator Role Granted at Root Scope This detection rule monitors for when the User Access Administrator role is granted at the root scope. This is a privileged role that has administrative control over Azure and Entra environments. Default state: Enabled |
Google Workspace | NEW - Google Workspace: Login from Outside of Canada This detection rule triggers when a user logs in to Google Workspace from an IP address located outside of Canada. Default state: Disabled |
Microsoft 365 | NEW - Microsoft 365: Authentication Outside of Australia This detection rule identifies authentication attempts to Microsoft 365 from IP addresses outside of Australia. Default state: Disabled |
Windows | NEW - Suspicious Double Extension Shortcut (.LNK) File This detection rule monitors for the creation of files using a suspicious Windows shortcut extension that ends in .LNK. Threat actors often use this technique to disguise malicious payloads as harmless files in download attacks. Default state: Enabled |
NEW - Suspicious Execution of qwinsta.EXE This detection rule triggers when the qwinsta.exe command is executed in a suspicious context. Although it is a legitimate Windows command, it is frequently used by threat actors during the discovery phase of an attack. Default state: Enabled |
|
NEW - Suspicious Double Extension File Execution This detection rule identifies the process execution of files with names containing multiple extensions (e.g., report.pdf.exe). This tactic is commonly used by attackers to disguise malicious files appearing as legitimate ones. Default state: Enabled |
|
All Traffic Logs |
UPDATE - 500GB+ Outbound Connection via Generic Network Protocol We improved the accuracy of data transfer size calculations, reducing false positive matches. |
Carbon Black | UPDATE - Carbon Black: Malicious HTA File We improved the logic of this rule to reduce false positive matches. |
Fortigate | UPDATE - Fortigate: Failed Admin Login from External IP Address We fixed broken URL links in the detection workflow to ensure responders can access support documentation directly from the finding. |
Google Workspace | UPDATE - Google Workspace: Login from Outside of Canada and Google Workspace: Login from Outside the U.S. We updated the detection logic to handle cases where the country value is null, improving detection accuracy. |
Microsoft 365 |
UPDATE - Microsoft 365: Email Sending Limit Exceeded This detection will no longer generate a finding when an update is made to resolved incidents in Microsoft 365. |
UPDATE - Microsoft 365: New MFA Device Added We updated the workflow to improve clarity and to better guide responders based on the context provided in the finding. |
|
UPDATE - Microsoft 365: Suspicious Inbox Rule Creation We updated the workflow to allow responders to jump directly to "Confirmed Compromise" for faster resolution and initiation of incident response for confirmed compromises. |
|
UPDATE - Indicator: Microsoft 365 - User requested to release a quarantined message We updated the above original detection rule’s title so that is now “Microsoft 365: User Requested to Release a Quarantined Message,” and we updated the logic to account for Microsoft formatting changes that were causing the user field to be empty. |
|
Microsoft Defender | UPDATE - Microsoft Defender for Endpoint: Suspicious PowerShell Command We updated the detection logic to account for recent changes in Microsoft log formats, which had been causing missed true positive matches. |
SonicWall | UPDATE - SonicWall: 5 or More Login Failures in 15 Minutes We fixed a malformed placeholder in the analysis section that was preventing geographic location data from displaying correctly. |
Windows |
UPDATE - Suspicious Local Scheduled Task Created We added the parent.cmdline field to provide more context during review and investigation. |
UPDATE - PowerShell: Download Invocation We added the parent.cmdline field to provide more context during review and investigation. |
|
UPDATE - Rclone Execution via Command Line or PowerShell We improved the detection logic to better identify true positive events. |
|
UPDATE - File Launched via rundll OpenURL Function We updated the detection logic that was previously causing false positive findings for legitimate Lenovo software. |
|
UPDATE - UACMe Akagi Execution We updated the detection logic to avoid persistent false positive flags where akagi was seen in the file path. |
Bug Fixes and Improvements
Improvements- Enhanced Log Access - We made parsing improvements to better enable customers' access to their Sophos XG logs when using Standard Syslog Protocol and SonicOS V7 firewall logs.
- Findings Loading Experience - We made backend changes that improve the experience of loading findings.
- Public API Finding Resolution Notes - We added findings' resolution notes to the data returned by our API for customers participating in the Public API beta.
- Global Report - We resolved a minor issue that was occasionally causing errors when running the “Blumira: Endpoints by Data Generated” global report.
March 2025 Release Notes
In case you missed the March updates, you can find and review those notes here.
Eric Pitt
Eric is a Product Marketing Manager at Blumira focusing on customer research and positioning to continuously improve the Blumira platform.
More from the blog
View All PostsSubscribe to email updates
Stay up-to-date on what's happening at this blog and get additional content about the benefits of subscribing.