Blumira Detections: Reduce Noise & Improve Your Time to Respond

Blumira’s detections help you save time, address risk, and reduce noise to help you protect your organization and increase operational resiliency.

• Blumira’s Detection Filters allows you to proactively tune your environment to reduce noisy alerts and customize rules to meet your organization’s unique needs, freeing you up to focus on responding to real threats.
• Blumira’s M365 Early Detection looks at early stages of an attack, improving your time to detect and respond by spotting an attacker sniffing around your environment.

Together, we’re improving your time to respond and reducing the noise of false positives, giving you more time back in your day and a peace of mind.

Detection Filters: Noise Reduction

Too many noisy alerts results in false positives, alert fatigue, and security gaps that go unaddressed. With that in mind, we’ve built in ways to help you turn down the noise – in April 2025, our Detection Filters feature silenced over 19 million pieces of evidence (Source: Blumira’s platform). 

Blumira’s Detection Filters allow you to proactively tune your environment to reduce noisy alerts and customize rules to meet your organization’s unique needs, freeing you up to focus on responding to real threats.

• Reduce Noise of Known Safe Activity – Proactively reduce noise from findings by filtering out specific admin names, locations, and more
• Faster, Frictionless Onboarding – Remove any barriers for MSPs onboarding new clients by adding detection filters at setup, before any findings are created (coming soon!)
• Reduce Risks of Automated Response – More precise filters give you the confidence to automate the blocking of users, without triggering false positives or locking out legitimate users
• Streamline Security Operations – Spend less time sorting through alerts and more time on growing your business 

Now Detection Filters allows you to use regex, IP ranges, and add detection filters from the Detection Rule page after a rule is deployed (coming soon). These updates increase your ability to fine-tune rules and optimize your daily workflows.

Adding IP Ranges to Detection Filters

Using Regex With Detection Filters

Detection Filters: How it Works

To add a new detection filter:

• Navigate to Reporting > Findings.
• Click a finding row, and then click View Finding Details.
• Under Detection Filters, click Add Filter.
• Fill out the Name, Field, Operator and Value fields.
• Click Save.

Customer Story: Supporting MSP Ease of Deployment

NetSource One chose Blumira’s easy-to-deploy SIEM security platform with a built-in MSP portal that would make it simple for them to onboard new customers, fine-tune rules, review SIEM alerts and take action to protect clients against security threats.

“The speed and user-friendliness of Blumira is head and shoulders above StratoZen. The ability to manage things all on our own, as well as the introduction of the MSP console and Detection Filters has been huge for us in terms of deployment.” – Chris Lewis, Information Security Manager, NetSource One (MSP)

Example Detection Filters Use Case 

The detection Failed Admin Login from External IP Address was triggered when one of their normal admins logged in. The customer wanted to filter out their specific admin name and location and were unable to.

With the newly updated Detection Filters, customers can now proactively reduce noise from findings by filtering out specific admin names and locations.

Learn more about using Detection Filters

Best practices for using detection filters to stop unwanted findings

M365 Early Detection

Identity-based attacks have become increasingly commonplace – 71% of Microsoft 365 business users suffer at least one compromised account each month, according to a survey of 27 million users in 600 enterprises (Osterman Research, Coreview).

To help address risk and reduce business interruptions, Blumira’s M365 Early Detection looks at early stages of an attack, improving your time to detect and respond by spotting an attacker sniffing around your environment. 

• Reduce Risk, Respond Quickly – Blumira’s M365 Early Detection reduces risk by proactively flagging the first sign of suspicious activity. Then, we enable you to take swift action to cut off attacker access by directly disabling compromised M365 user accounts.
• Ensure Operational Resilience – Other security solutions identify attacks too late in the attack cycle – resulting in stolen data and lasting damage to companies. Blumira’s M365 Early Detection catches attacks before they can impact your business to ensure operational resilience.

Early-Stage Detection

Blumira detects M365 attacks during the earliest stages, and throughout the entire attack cycle:

Initial Access – Attackers are trying to get into your network.
Blumira Detects: When compromised credentials may be used to bypass access controls and gain initial access to your systems.

Privilege Escalation – Attackers are trying to gain higher-level permissions.
Blumira Detects: Modified credentials or changes to permission groups to elevate access to victim systems.

Persistence – Attackers are trying to maintain their foothold.
Blumira Detects: Attempts to keep access to systems after restarts, changed credentials, and other interruptions that could cut off attacker access. 

Defense Evasion – Attackers are trying to avoid being detected.
Blumira Detects: Evasion techniques like uninstalling or disabling security software, encrypting data, abuse of trusted processes and more. 

Source: MITRE ATT&CK Tactics

As always, Blumira provides fast detection during later critical stages, including detection of attacker communications, attempts to steal data from your systems, and malware. 

One of Blumira’s newest detection rules identifies attacker behavior that often blends in with regular user behavior, making it hard for other tools to detect:

NEW M365 Detection: User Session Token Anomaly

Blumira has released a new rule to help identify credential access attacks against your environment. This detection identifies when at least one Microsoft 365 user has been seen displaying anomalous behavioral patterns that deviate from their normal activity (based on sessions observed). 

Security Impact: Why Should You Care?
This could be a sign of a token theft attack. Attackers can use refresh tokens to gain persistent access to different services, allowing them to conduct discovery, send emails, steal data, and more. This type of activity can be hard to detect for typical security solutions, since the behavior blends into normal user behavior.

Threat Response: What Should You Do?
Blumira alerts you by sending you a finding and giving you steps to take for further investigation. Using Blumira’s M365 Threat Response, you can also take action to immediately disable the M365 user and revoke sessions.

Example of Blumira’s M365 Early Detection

In the example below, you’ll see a Blumira finding sent to your team. We detected an impossible travel login attempt in your M365 environment, which refers to logins or access attempts that originated from different geographic locations within an unrealistically short timeframe.

This could mean an attacker may be trying to log into one of your M365 user accounts.  

You can take action directly in Blumira by clicking the Disable User & Revoke Sessions button, using our M365 Threat Response feature to quickly cut off user access until you can investigate further. This reduces context-switching, streamlining your security operations workflow for faster response times.

“When a user is compromised, every second counts. It brings peace of mind to us and to our clients that Blumira’s M365 Threat Response can lock bad actors out in seconds, stopping them quicker than ever before!” – Matt Timm, Network Operations Center Team Lead, TR Computer Sales.

Protect Against M365 Security Threats

Blumira helps you protect against M365 security threats, including:

• Phishing – Attackers send emails impersonating others to steal data or commit fraud

• Brute Force – Attackers try to log in with different combinations of usernames and passwords

• Business Email Compromise – Attackers trick email recipients into sending money to them using a legitimate email address

Customer Story: Blumira Halted an Email Compromise Attack in Progress

Manufacturer Midway Swiss Turn was the target of a classic Microsoft 365 business email compromise (BEC) attack.

“We got a finding from Blumira that there was suspicious activity within our email. Someone had hacked into our email and was sending everyone else emails like it was coming from us to our customers, saying, ‘hey we’ve updated our accounts receivable, send us a check to our bank account.’ Blumira found the email attack, alerted us, and we were able to address it before any damage was done.” – Jayme Rahz, CEO, Midway Swiss Turn

As far as return on their investment, Midway Swiss Turn was able to save money with Blumira’s platform that identified, notified and helped them resolve the Microsoft 365 BEC attack.

“It would only have taken one person to send money through that email, and we would have lost tens of thousands of dollars. Based on that one incident, we’re going to see money savings in the future, especially by avoiding those business interruptions,” Rahz said.

Resources on Blumira’s Detection Filters & M365:

• Learn more about using Detection Filters – Detection Filters allow you to tune your own detection rules within the Blumira platform. This gives you the ability to prevent triggering alerts based on your organization’s known safe, normal or expected activity. By further narrowing down what’s actually an anomaly, you can reduce the noise of false positive alerts for your small team so they can focus on what’s really important to your organization. 
• Learn more about M365 Threat Response – Microsoft 365 Threat Response lets you respond to suspicious activity in your Microsoft 365, Azure, and Entra environments directly from Blumira as soon as you receive a finding notification. You can disable users and revoke their sessions from supported findings in the app without signing into Microsoft 365.

If you’re new to Blumira, request a demo or sign up for a free NFR account (for managed service providers) to try out our platform today.