This month’s releases introduced new detections across Windows, Fortigate, Microsoft 365, and Azure to help uncover persistence, credential compromise, and suspicious network activity. Highlights include new coverage for Guest account enablement, Tactical RMM usage, Protocolhandler abuse, impossible travel, and risky Azure service principal behavior, along with several Fortigate alerts for allowed IPS, anomaly, and virus events. We also improved detection accuracy across multiple existing rules to reduce false positives and better surface meaningful activity.
Detection Updates
| Log Type |
Details |
| Azure Directory Audit |
NEW - Azure: Service Principal Creation or Modification Followed by Directory Role Assignment
Detects when a service principal is created or modified with a client secret and assigned a directory role within a short timeframe. While this can be legitimate activity when adding new app registrations, threat actors have been observed using this technique to gain persistence and elevate privileges in Azure environments.
Default state: Enabled |
Azure Signin
|
NEW - Microsoft 365: Suspicious Successful Login - Axios User Agent
Detects successful Microsoft 365 sign-ins using the Axios HTTP client library. Axios is a legitimate JavaScript HTTP client that threat actors increasingly abuse in Adversary-in-the-Middle (AitM) phishing campaigns to intercept credentials, MFA tokens, and session tokens in real-time. This user agent pattern is unusual for typical user authentication flows.
Default state: Disabled
|
| Fortigate Anomaly |
NEW - Fortigate: Allowed High/Critical Anomaly Event
Detects when a Fortigate device identifies a high or critical severity anomaly event. These events may indicate denial of service attempts, network scanning, or other suspicious network activity that warrants investigation.
Default state: Disabled
|
Fortigate IPS
|
NEW - Fortigate: Allowed High/Critical IPS Event
Detects high or critical severity IPS events on Fortigate devices that were not blocked. This may indicate a misconfigured IPS policy or an attack that bypassed protection and requires immediate investigation.
Default state: Enabled
|
Fortigate IPS
|
NEW - Fortigate: Allowed Medium IPS Event
Detects medium severity IPS events on Fortigate devices that were not blocked. This may indicate a misconfigured IPS policy or an attack that bypassed protection.
Default state: Disabled
|
Fortigate Virus
|
NEW - Fortigate: Allowed Virus Event
Detects when a Fortigate device identifies a virus that was allowed through rather than blocked, indicating a potential antivirus policy misconfiguration.
Default state: Disabled
|
Microsoft 365
|
NEW - Microsoft 365: Impossible Travel
Detects when Microsoft 365 users exhibit impossible travel behavior within a 3-hour window at 500 MPH or faster. Impossible travel refers to logins or access attempts from different geographic locations within an unrealistically short timeframe, indicating potential credential compromise or malicious activity.
This new detection rule differs from our existing “Impossible Travel” rules by calculating travel speed rather than flat distance.
Default state: Disabled
|
Windows
|
NEW - File Download Using Protocolhandler.EXE
Detects the execution of Protocolhandler.EXE spawned by cmd.exe. Attackers abuse this signed Microsoft Office binary to download files from external sources, typically to download tools or malware. This technique allows attackers to bypass certain application allowlisting controls or network restrictions by proxying the download request through a signed Microsoft binary.
Default state: Enabled
|
Windows
|
NEW - Remote Access Tool: Tactical RMM
Detects Tactical RMM activity on endpoints. While commonly used for legitimate remote management by system administrators, attackers have been observed using it as a command-and-control channel.
Default state: Enabled
|
Windows
|
NEW - Windows Guest Account Enabled
Detects when someone enables the built-in Windows Guest account. The Guest account is disabled by default in modern Windows systems and provides a low-privilege access point that does not require a password. Threat actors might enable the account during post-compromise activity to establish persistence, create a backdoor for later access, or facilitate lateral movement within a network.
Default state: Enabled
|
Azure Signin
|
UPDATE - Azure Entra ID Anomalous Agent Sign-In Activity
Added logic to ensure only successful sign-ins are detected.
|
| Google Workspaces |
UPDATE - Google Workspace External Document Share
We updated the detection logic to be more accurate and include additional check to ensure the user is sharing externally.
|
M365 SharePoint
|
UPDATE - MS365 SharePoint 100+ File Deletions in 15 Minutes
We added logic to handle null file_path and file_name fields to reduce failures and false positives.
|
| Traffic |
UPDATE - TCP 445 Connection from Public IP
We updated the detection logic to filter out connections that are quickly torn down, reducing false positives.
|
| Windows |
UPDATE - Finger.EXE Execution
We broadened the detection logic to surface any finger.EXE execution. Renamed from “Suspicious Invocation of Finger.exe.”
|
| Windows |
UPDATE - User Created in PowerShell
To fix false positives that were being caused by module metadata, we now require command parameters for detection.
|
Bug Fixes and Improvements
Bug Fixes
- Resolved Agent Deletion: We fixed an issue that was causing failures when users tried to manually delete a Blumira Agent.
- GCC High Cloud Connector: We fixed an issue that was preventing successful GCC High Cloud Connector integrations.
- MSP Portal Pagination: We fixed a pagination issue in the MSP Portal Accounts table that was causing errors in rendering whenever users selected 250.
- Executive Summary Report Access: We fixed an issue that was preventing Respond and Automate customers from getting Executive Summary reports.
Improvements
- Log Parsing Expansion: We’re now parsing additional fields from Azure General logs and pfSense logs.
December 2025 Release Notes
In case you missed the November updates, you can find and review those notes here.
