In August, Blumira introduced new detections across 1Password, VMware, Okta, and Microsoft 365 to help identify high-risk behaviors like Tor-based access, vault exports, and suspicious login patterns. Detection logic was improved across several rules to reduce false positives, including updates to CrowdStrike, domain tools, and Google Workspace. We also launched a new Microsoft 365 Government Cloud Connector and upgraded our IP geolocation provider for better location accuracy. Additional fixes and improvements included smoother workflow navigation, better visibility in the MSP Portal, and easier access to finding support.
Feature and Platform Updates
IP Geolocation Data: Blumira now uses a new IP geolocation data provider, offering improved accuracy in IP-based location data across the platform.
Microsoft 365 Government Cloud Connector: A new Cloud Connector has been added to support Microsoft 365 GCC (Government Community Cloud) Standard environments. The GCC High functionality has also been moved to this updated connector.
Detection Updates
| Log Type |
Details |
| 1Password |
NEW - 1Password: Activity From Tor Exit Node
This detection uses Blumira’s Tor Exit Node threat feed to identify when 1Password activity originates from an IP associated with a Tor exit node.
Default state: Enabled |
| 1Password |
NEW - 1Password: Vault Export Event
This detection monitors for vault export events, indicating that a user is attempting to export their saved vault items. This is risky behavior due to the sensitivity of the exported data.
Default state: Enabled
|
| 1Password |
NEW - 1Password: Impossible Travel Activity
This detection monitors successful logins that originate from geographically distant locations within an unrealistically short timeframe, indicating potential suspicious activity.
Default state: Enabled
|
| CrowdStrike |
NEW - CrowdStrike: Automated Lead
CrowdStrike has released a new feature called Automated Leads; which uses their Signal engine to identify and alert on unusual behavior. This has been released as disabled by default due to many users reporting high volumes of low-fidelity alerts and false positives.
Default state: Disabled
|
| Microsoft 365 |
NEW - Microsoft 365: Authentication Outside of Canada
This detection monitors for successful Microsoft 365 authentications outside of Canada.
Default state: Disabled
|
| Okta |
NEW - Okta: User Account Lock
This rule detects account lock events in Okta, indicating that it has exceeded the maximum number of failed login or failed MFA attempts.
Default state: Disabled
|
| VMware |
NEW - VMware: New User Created
This detection monitors for the creation of new user accounts in VMware environments.
Default state: Enabled
|
| VMware |
NEW - VMware: User Password Reset Event
This detection monitors for VMware user password reset events.
Default state: Enabled
|
| Windows |
NEW - PUA: PingCastle Activity
This detection monitors for PingCastle execution, a popular Active Directory(AD) security assessment tool used to identify misconfigurations, privilege escalation paths, and domain weaknesses. While often used by defenders and auditors, it is also frequently leveraged by threat actors and red teams during internal reconnaissance after gaining access to a network.
Default state: Enabled
|
| Windows |
NEW - Unusual Network Activity from Windows System Binary
This detection monitors for network activity originating from specific Windows system binaries. Attackers frequently leverage these legitimate, signed binaries to execute malicious payloads to evade security controls. Disabled by default due to high rate of false positives observed during testing. This detection may require some tuning per environment.
Default state: Disabled
|
| Azure |
UPDATE - Azure: Failed Single Factor PowerShell Authentication Attempts
We reclassified this rule to a Priority 3 (P3) Risk to better reflect its threat level. |
| CrowdStrike |
UPDATE - CrowdStrike: Informational Alert, Low Alert, Medium Alert, High Alert, and Critical Alert
All CrowdStrike alert detections have been updated to handle CrowdStrike’s new Automated Leads feature. Alerts generated from Automated Leads were incorrectly generating findings for these detections and have been moved to their own dedicated detection rule called “CrowdStrike: Automated Lead” (see above).
|
| Google Workspace |
UPDATE - Google Workspace: 100 or More Drive Deletions in 15 Minutes
We updated this detection rule to exclude normal Google Drive system activity to more accurately reflect true user behavior and reduce false positives.
|
| Microsoft 365 |
UPDATE - Microsoft 365 - Application Password Deletion
We added a new object field and updated the analysis of this detection rule. We also changed it to be disabled by default.
Default state: Disabled
|
| Microsoft 365 |
UPDATE - Microsoft 365: Login Blocked due to Conditional Access Policy
We added app_id_str, is_safe, state, and additional_fields fields for additional context during investigation.
|
| Microsoft 365 |
UPDATE - Microsoft 365: User Session Token Anomaly
This detection now includes the app_id field for greater context during investigations. |
| Traffic |
UPDATE - RDP/FTP/SSH/SMB/Telnet Connection from Public IP
A false positive workflow option has been added at the first step to provide a quick workflow option to indicate when a finding is benignWe updated all “<protocol> Connection from Public IP” detection rules with additional fields in the matched evidence tables to help users understand which rule or policy on the firewall is allowing the connection to occur. The new fields include the following:
- policy_id
- rule_id
- rule_uid
- rule_number
- policy
|
| Windows |
UPDATE - AdFind Domain Enumeration
We improved this detection’s logic to reduce false positive matches. Specified AD Find process and added additional AD Find commands. These updates should greatly reduce the amount of false positives reported for this detection.
|
| Windows |
UPDATE - Dsquery Network Discovery
We updated this detection’s logic to focus on behavior observed in threat actor activity and reduce false positives.
|
| Windows |
UPDATE - TOR Browser Usage
We updated this detection rule’s logic to trigger findings upon detecting TOR usage on Mac OS agent devices.
|
Bug Fixes and Improvements
Bug Fixes
-
Response Actions: We resolved an issue where response actions were not appearing on some findings.
-
Assignee Visibility: We fixed a bug that prevented assignees from displaying on the Findings page.
-
Workflow Navigation: We addressed a UI issue where selecting a step in a workflow caused the step to jump on the page when hovered over.
-
MSP Portal Accounts: We fixed a bug that was limiting the number of accounts being returned and displayed per MSP, so the Accounts page now loads all accounts as expected and without errors.
Improvements
July 2025 Release Notes
In case you missed the July updates, you can find and review those notes here.
