Skip to content
Get A Demo
Free SIEM
    April 9, 2024

    Security Detection Update - 2024-4-9

    Welcome to our weekly security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we've made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we'll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you're lucky.

    Introduction and Overview

    This week was partially wrapping up new detections and also some new marketing content. Over the next few months we might be a tad slower releasing detections. They say you have to sometimes slow down to go faster. We're building some new internal systems that will allow us to do just that. As we grow and mature, so must our tooling!


    New Detections

    This update introduces several new detections, including:

    SonicWall: Configuration Change

    I don't think you need much explanation with that title. However it does log on SW Event IDs 1382, 1383, and 1432.

    • Status: Disabled
    • Log type requirement: SonicWall Traffic

    VSSAdmin Shadow Copy Deletion Command

    Shadow copy deletion commands are monitored to identify unauthorized or malicious activity. Threat actors such as Black Basta, Phobos, and others have been observed deleting shadow copies after data exfiltration to inhibit the recovery of encrypted systems and/or data.

    • Status: Enabled
    • Log type requirement: Windows and Blumira Agent for Windows


    IDE Content

    Of course we're going to sneak some of our other content into detection updates!

    CVE-2024-3094: xz-utils (liblzma) Backdoor

    An ongoing wrap-up of one of the most extensive and interesting backdoors in recent history. The xz-utils package, versions 5.6.0 and 5.6.1, has been identified as containing a backdoor in a compromised library dependency liblzma5. The presence of the backdoor potentially allows unauthorized access to affected systems through the manipulation of the sshd authentication process. This issue has been assigned CVE-2024-3094 and given a CVSS severity score of 10.0 Critical.

    Announcing the First Annual Blumira Awards

    As someone who's loves diving into the data behind our detections, in partnership with our marketing team we decided to have a little fun with that information this year. We took some of our more interesting detections and themes that we saw over all of 2023 and ranked them into categories for you!

    Amanda Berlin

    Amanda Berlin is Lead Incident Detection Engineer at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An accomplished...

    More from the blog

    View All Posts