In April, we delivered a range of updates to improve detection accuracy, streamline our log integrations, and enhance the overall user experience. Highlights include improvements to our ConnectWise PSA integration for MSPs, new detections for suspicious file behavior and geo-based authentication anomalies across Microsoft 365, Google Workspace, and Windows, as well as updates to existing detections for better context and reduced false positives. We also rolled out several platform enhancements, including improved log access and a faster findings loading experience.
Feature and Platform Updates
ConnectWise PSA Integration: We made iterative improvements including simplifying company mapping for customers with custom statuses, improving loading states throughout the integration, allowing MSPs to enable or disable individual accounts during mapping, and adding the author’s name to notes sent to ConnectWise.
Detection Updates
| Log Type |
Details |
| Azure Active Directory |
NEW - Entra ID: User Access Administrator Role Granted at Root Scope
This detection rule monitors for when the User Access Administrator role is granted at the root scope. This is a privileged role that has administrative control over Azure and Entra environments.
Default state: Enabled |
| Google Workspace |
NEW - Google Workspace: Login from Outside of Canada
This detection rule triggers when a user logs in to Google Workspace from an IP address located outside of Canada.
Default state: Disabled |
| Microsoft 365 |
NEW - Microsoft 365: Authentication Outside of Australia
This detection rule identifies authentication attempts to Microsoft 365 from IP addresses outside of Australia.
Default state: Disabled |
| Windows |
NEW - Suspicious Double Extension Shortcut (.LNK) File
This detection rule monitors for the creation of files using a suspicious Windows shortcut extension that ends in .LNK. Threat actors often use this technique to disguise malicious payloads as harmless files in download attacks.
Default state: Enabled |
NEW - Suspicious Execution of qwinsta.EXE
This detection rule triggers when the qwinsta.exe command is executed in a suspicious context. Although it is a legitimate Windows command, it is frequently used by threat actors during the discovery phase of an attack.
Default state: Enabled |
NEW - Suspicious Double Extension File Execution
This detection rule identifies the process execution of files with names containing multiple extensions (e.g., report.pdf.exe). This tactic is commonly used by attackers to disguise malicious files appearing as legitimate ones.
Default state: Enabled |
All Traffic Logs
|
UPDATE - 500GB+ Outbound Connection via Generic Network Protocol
We improved the accuracy of data transfer size calculations, reducing false positive matches. |
| Carbon Black |
UPDATE - Carbon Black: Malicious HTA File
We improved the logic of this rule to reduce false positive matches. |
| Fortigate |
UPDATE - Fortigate: Failed Admin Login from External IP Address
We fixed broken URL links in the detection workflow to ensure responders can access support documentation directly from the finding. |
| Google Workspace |
UPDATE - Google Workspace: Login from Outside of Canada and Google Workspace: Login from Outside the U.S.
We updated the detection logic to handle cases where the country value is null, improving detection accuracy. |
Microsoft 365
|
UPDATE - Microsoft 365: Email Sending Limit Exceeded
This detection will no longer generate a finding when an update is made to resolved incidents in Microsoft 365. |
UPDATE - Microsoft 365: New MFA Device Added
We updated the workflow to improve clarity and to better guide responders based on the context provided in the finding. |
UPDATE - Microsoft 365: Suspicious Inbox Rule Creation
We updated the workflow to allow responders to jump directly to "Confirmed Compromise" for faster resolution and initiation of incident response for confirmed compromises. |
UPDATE - Indicator: Microsoft 365 - User requested to release a quarantined message
We updated the above original detection rule’s title so that is now “Microsoft 365: User Requested to Release a Quarantined Message,” and we updated the logic to account for Microsoft formatting changes that were causing the user field to be empty. |
| Microsoft Defender |
UPDATE - Microsoft Defender for Endpoint: Suspicious PowerShell Command
We updated the detection logic to account for recent changes in Microsoft log formats, which had been causing missed true positive matches. |
| SonicWall |
UPDATE - SonicWall: 5 or More Login Failures in 15 Minutes
We fixed a malformed placeholder in the analysis section that was preventing geographic location data from displaying correctly. |
Windows
|
UPDATE - Suspicious Local Scheduled Task Created
We added the parent.cmdline field to provide more context during review and investigation. |
UPDATE - PowerShell: Download Invocation
We added the parent.cmdline field to provide more context during review and investigation. |
UPDATE - Rclone Execution via Command Line or PowerShell
We improved the detection logic to better identify true positive events. |
UPDATE - File Launched via rundll OpenURL Function
We updated the detection logic that was previously causing false positive findings for legitimate Lenovo software. |
UPDATE - UACMe Akagi Execution
We updated the detection logic to avoid persistent false positive flags where akagi was seen in the file path. |
Bug Fixes and Improvements
Improvements
- Enhanced Log Access - We made parsing improvements to better enable customers' access to their Sophos XG logs when using Standard Syslog Protocol and SonicOS V7 firewall logs.
- Findings Loading Experience - We made backend changes that improve the experience of loading findings.
- Public API Finding Resolution Notes - We added findings' resolution notes to the data returned by our API for customers participating in the Public API beta.
Bug Fixes
- Global Report - We resolved a minor issue that was occasionally causing errors when running the “Blumira: Endpoints by Data Generated” global report.
March 2025 Release Notes
In case you missed the March updates, you can find and review those notes here.
