Blumira’s detections help you save time, address risk, and reduce noise to help you protect your organization and increase operational resiliency.
Together, we’re improving your time to respond and reducing the noise of false positives, giving you more time back in your day and a peace of mind.
Too many noisy alerts results in false positives, alert fatigue, and security gaps that go unaddressed. With that in mind, we’ve built in ways to help you turn down the noise – in April 2025, our Detection Filters feature silenced over 19 million pieces of evidence (Source: Blumira’s platform).
Blumira’s Detection Filters allow you to proactively tune your environment to reduce noisy alerts and customize rules to meet your organization’s unique needs, freeing you up to focus on responding to real threats.
Now Detection Filters allows you to use regex, IP ranges, and add detection filters from the Detection Rule page after a rule is deployed (coming soon). These updates increase your ability to fine-tune rules and optimize your daily workflows.
Adding IP Ranges to Detection Filters
Using Regex With Detection Filters
To add a new detection filter:
NetSource One chose Blumira’s easy-to-deploy SIEM security platform with a built-in MSP portal that would make it simple for them to onboard new customers, fine-tune rules, review SIEM alerts and take action to protect clients against security threats.
“The speed and user-friendliness of Blumira is head and shoulders above StratoZen. The ability to manage things all on our own, as well as the introduction of the MSP console and Detection Filters has been huge for us in terms of deployment.” – Chris Lewis, Information Security Manager, NetSource One (MSP)
The detection Failed Admin Login from External IP Address was triggered when one of their normal admins logged in. The customer wanted to filter out their specific admin name and location and were unable to.
With the newly updated Detection Filters, customers can now proactively reduce noise from findings by filtering out specific admin names and locations.
Learn more about using Detection Filters
Best practices for using detection filters to stop unwanted findings
Identity-based attacks have become increasingly commonplace – 71% of Microsoft 365 business users suffer at least one compromised account each month, according to a survey of 27 million users in 600 enterprises (Osterman Research, Coreview).
To help address risk and reduce business interruptions, Blumira’s M365 Early Detection looks at early stages of an attack, improving your time to detect and respond by spotting an attacker sniffing around your environment.
Blumira detects M365 attacks during the earliest stages, and throughout the entire attack cycle:
Initial Access – Attackers are trying to get into your network.
Blumira Detects: When compromised credentials may be used to bypass access controls and gain initial access to your systems.
Privilege Escalation – Attackers are trying to gain higher-level permissions.
Blumira Detects: Modified credentials or changes to permission groups to elevate access to victim systems.
Persistence – Attackers are trying to maintain their foothold.
Blumira Detects: Attempts to keep access to systems after restarts, changed credentials, and other interruptions that could cut off attacker access.
Defense Evasion – Attackers are trying to avoid being detected.
Blumira Detects: Evasion techniques like uninstalling or disabling security software, encrypting data, abuse of trusted processes and more.
Source: MITRE ATT&CK Tactics
As always, Blumira provides fast detection during later critical stages, including detection of attacker communications, attempts to steal data from your systems, and malware.
One of Blumira’s newest detection rules identifies attacker behavior that often blends in with regular user behavior, making it hard for other tools to detect:
Blumira has released a new rule to help identify credential access attacks against your environment. This detection identifies when at least one Microsoft 365 user has been seen displaying anomalous behavioral patterns that deviate from their normal activity (based on sessions observed).
Security Impact: Why Should You Care?
This could be a sign of a token theft attack. Attackers can use refresh tokens to gain persistent access to different services, allowing them to conduct discovery, send emails, steal data, and more. This type of activity can be hard to detect for typical security solutions, since the behavior blends into normal user behavior.
Threat Response: What Should You Do?
Blumira alerts you by sending you a finding and giving you steps to take for further investigation. Using Blumira’s M365 Threat Response, you can also take action to immediately disable the M365 user and revoke sessions.
In the example below, you’ll see a Blumira finding sent to your team. We detected an impossible travel login attempt in your M365 environment, which refers to logins or access attempts that originated from different geographic locations within an unrealistically short timeframe.
This could mean an attacker may be trying to log into one of your M365 user accounts.
You can take action directly in Blumira by clicking the Disable User & Revoke Sessions button, using our M365 Threat Response feature to quickly cut off user access until you can investigate further. This reduces context-switching, streamlining your security operations workflow for faster response times.
“When a user is compromised, every second counts. It brings peace of mind to us and to our clients that Blumira’s M365 Threat Response can lock bad actors out in seconds, stopping them quicker than ever before!” – Matt Timm, Network Operations Center Team Lead, TR Computer Sales.
Blumira helps you protect against M365 security threats, including:
Manufacturer Midway Swiss Turn was the target of a classic Microsoft 365 business email compromise (BEC) attack.
“We got a finding from Blumira that there was suspicious activity within our email. Someone had hacked into our email and was sending everyone else emails like it was coming from us to our customers, saying, ‘hey we’ve updated our accounts receivable, send us a check to our bank account.’ Blumira found the email attack, alerted us, and we were able to address it before any damage was done.” – Jayme Rahz, CEO, Midway Swiss Turn
As far as return on their investment, Midway Swiss Turn was able to save money with Blumira’s platform that identified, notified and helped them resolve the Microsoft 365 BEC attack.
“It would only have taken one person to send money through that email, and we would have lost tens of thousands of dollars. Based on that one incident, we’re going to see money savings in the future, especially by avoiding those business interruptions,” Rahz said.
If you’re new to Blumira, request a demo or sign up for a free NFR account (for managed service providers) to try out our platform today.