This month, we rolled out Findings page upgrades, making it easier to navigate, review, and take action on findings. Enhancements include the option to resolve findings without completing the workflow, linked MITRE ATT&CK® codes, and one-click copying of finding short IDs. Detection filters are now more flexible, with the ability to create and edit filters directly from Detection Rules. We added two new Windows detections, including one addressing the recent SharePoint vulnerability, and improved detection accuracy across Azure, Linux, VMware, and FortiGate. We also fixed key bugs and introduced enhancements to the Blumira API, MSP Portal, and Findings List Page for a smoother user experience.
Feature and Platform Updates
Detection Filters on Detection Rules: Now you can create and edit your detection filters directly in Detection Rules before a finding is generated, even when a rule is disabled! No more waiting for findings to appear before you start tuning out the noise; customizing detections with allowlists now starts as soon as onboarding.
Findings Detail Page Upgrades:
-
Improved Information Layout: Users can easily locate basic information for the finding.
-
Improved Navigation: Users can now navigate to their dashboard or go to the previous or next open findings from the Findings details page, enabling easier and faster access to the findings that still need attention.
-
MITRE ATT&CK Codes: Users can see which ATT&CK codes each finding is associated with and follow links to the associated ATT&CK knowledge base entries to learn more about the techniques and related tactics.
-
Resolve a Finding Individually: Users can now immediately resolve a finding directly from its details page without needing to complete the workflow and without using the bulk select feature on the Findings table.
-
Copy Finding Short ID: This new option enables users to easily copy the finding’s short ID, which is useful when it is needed in searches or pasting into an email or ticketing system.
Detection Updates
| Log Type |
Details |
| Windows |
NEW - 20+ Failed Windows Login Events for Non-Existent User in 60 Minutes
This detection identifies when over 20 failed Windows login attempts occur within an hour associated with non-existent users. This activity may be suspicious or could also surface stale service accounts no longer in use. Threat actors often use long lists of random usernames in an attempt to guess a username/password combo.
Default state: Disabled |
Windows
|
NEW - CVE-2025-49704 SharePoint Suspicious Web Shell File Created in LAYOUTS Directory
This detection was created in response to the recent vulnerability affecting on-premises SharePoint servers. Legitimate web shells should not be running out of this directory and any related finding should be thoroughly investigated.
Default state: Enabled
|
| Azure_signin |
UPDATE - Azure: Entra ID Anomalous Agent Sign-In Activity
Detection logic updated to add O365 Diagnostic Service to general exclusions. |
| Azure_signin |
UPDATE - Azure Identity Protection Risky Sign-in
Users can now review the action_details field in the evidence of the finding to understand why a sign-in was blocked or allowed.
|
| Fortigate_event |
UPDATE - Fortigate: Successful Admin Login from External IP Address
Detection logic updated to account for instances where src_ip is null. It now uses IP address in message field as a back up. The message field has also been added to evidence.
|
| Osquery |
UPDATE - Linux Reverse Shell
The parent.cmdline field has been added to several detections which may reveal a script name or some other details that will make investigation and filter building much easier.
|
| Vmware_vcenter |
UPDATE - VMware: VM Deletion
Detection logic updated to exclude failed VM removal logs. Updated logic will now only match on successful VM deletion.
|
| Windows |
UPDATE - Local User Addition or Modification via Net Commands
The parent.cmdline field has been added to several detections which may reveal a script name or other details that will make investigation and Filter building much easier.
|
| Windows |
UPDATE - Mimikatz Process Creation or Command Run
A false positive workflow option has been added at the first step to provide a quick workflow option to indicate when a finding is benign.
|
| Windows |
UPDATE - Nltest Domain Enumeration
The parent.cmdline field has been added to several detections which may reveal a script name or other details that will make investigation and Filter building much easier.
|
| Windows |
UPDATE - Outlook .pst File Export
Detection logic updated to exclude false positives generated by .pst exports from internet calendar subscriptions.
|
| Windows |
UPDATE - Signed Binary Proxy Execution: Msiexec
The event_type field has been added to help investigate and provide appropriate context of the alert.
|
Bug Fixes and Improvements
Bug Fixes
-
Detection Filter Duplication: Fixed an issue where Detection Filters were being duplicated immediately after saving.
-
Sub-Account Access: We resolved a bug that could cause an MSP administrator to lose access to a sub-account.
Improvements
-
Detection Filter Fields: Filters can now be created using any field present in evidence. Previously, detection filters couldn’t be created if a field was in an unsupported type in our database. This would cause those fields to not populate when attempting to create those filters.
-
MSP Portal: Administrators can no longer deselect themselves from the Users page in the MSP Portal, which means they must ask another administrator in their organization to remove them from an account or reach out to Blumira Support.
-
API Enhancements:
-
Findings /comments results now include author details to identify who added a comment on the finding.
-
The MSP Findings endpoint now includes assignee, notes, and note authors.
-
Added filtering options to the Findings endpoints, including:
"blocked", "category", "created", "created_by", "created_after", "created_before", "modified", "modified_by", "name", "org_id", "owners", "priority", "resolution", "seconds_to_status", "status", "status_modified_by", "type"
-
Findings Table: The table now retains filters when users navigate to and from the page.
-
Tags Page: The Tags page has been deprecated.
June 2025 Release Notes
In case you missed the June updates, you can find and review those notes here.
