- Product
Kindling
Product Overview
Sophisticated security with unmatched simplicityCloud SIEM
Pre-configured detections across your environmentHoneypots
Deception technology to detect lateral movementEndpoint Visibility
Real-time monitoring with added detection & responseSecurity Reports
Data visualizations, compliance reports, and executive summariesAutomated Response
Detect, prioritize, and neutralize threats around the clockIntegrations
Cloud, on-prem, and open API connectionsXDR Platform
A complete view to identify risk, and things operational
- Pricing
- Why Blumira
Why Blumira
The Security Operations platform IT teams loveWatch A Demo
See Blumira in action and how it builds operational resilienceUse Cases
A unified security solution for every challengePricing
Unlimited data and predictable pricing structureCompany
Our human-centered approach to cybersecurityCompare Blumira
Find out how Blumira stacks up to similar security toolsIntegrations
Cloud, on-prem, and open API connectionsCustomer Stories
Learn how others like you found success with Blumira
- Solutions
- Partners
- Resources
This month's releases include five new detections across Microsoft 365 and Windows — covering password spraying via legacy authentication, Teams helpdesk impersonation, PsExec lateral movement correlation, Bomgar remote access tool abuse, and EDR process execution from user directories. We overhauled the Connection from Public IP detection suite in phase one of a three-phase rewrite, broadened ScreenConnect coverage to catch process name variants observed in ransomware incidents, and reduced false positives in the PowerShell Suspicious Parent Process and Endpoint TOR Traffic rules. We also shipped HTTP Ingestion for general availability, added Zscaler Client Connector log parsing, and improved CEF log field coverage.
Detection Updates
| Log Type | Details |
|---|---|
| Microsoft 365 |
NEW - Microsoft 365: Excessive Failed BAV2ROPC Authentication Attempts This new detection identifies excessive failed authentication attempts using the BAV2ROPC OAuth flow, a legacy Microsoft authentication protocol that does not enforce multi-factor authentication. Attackers use this protocol to conduct password spraying campaigns against Microsoft 365 accounts, bypassing MFA controls that would otherwise block credential guessing. Default state: Disabled |
| Microsoft 365 |
NEW - Microsoft 365: Teams Helpdesk Impersonation from External Tenant This new detection identifies Microsoft Teams messages from external tenant accounts using helpdesk-related display names. This social engineering technique is used by attackers to impersonate internal IT support staff, build trust with the target, and direct victims to grant remote access via tools like Quick Assist. Default state: Enabled |
| Windows |
NEW - PsExec Service Execution Correlation This new detection correlates PsExec source and target host activity by combining Blumira Agent network connection data with Windows Event ID 7045 (new service installed). By joining both signals, it provides stronger evidence of lateral movement than either indicator alone. Default state: Enabled |
| Windows |
NEW - Remote Access Tool: Bomgar This new detection identifies execution of Bomgar remote access software. While Bomgar is used legitimately by vendors and managed service providers, threat actors have abused it to maintain unauthorized persistent access to compromised systems. Default state: Disabled |
| Windows |
NEW - EDR Process Executed from User Directory This new detection identifies EDR processes executing from user directories such as the Downloads folder rather than their standard installation paths. Attackers impersonate or abuse security tool processes as part of post-compromise activity, including disabling backup services and creating security tool exclusions. Default state: Enabled |
| Windows / HTTP Access |
UPDATE - Connection from Public IP Detection Suite (Phase 1) As part of a planned three-phase overhaul, we renamed the Connection from Public IP detections and fixed a false positive condition in the TCP/445 rule where connections established and immediately torn down within the same minute were still generating findings. |
| Windows |
UPDATE - Remote Access Tool: ScreenConnect We expanded the ScreenConnect detection to include additional process name variants observed in recent ransomware incidents, broadening coverage beyond the previously matched process name. |
| Windows |
UPDATE - PowerShell: Execution from Suspicious Parent Process We updated detection logic to exclude Dell Command Update activity, which was generating false positives for organizations using Dell endpoint management tools. |
| Windows |
UPDATE - Endpoint TOR Traffic We added the command field to matched evidence in Endpoint TOR Traffic findings and added detection filters to reduce false positives from Windows Time Service (W32Time) activity, which was being flagged due to its use of IP address ranges that overlap with TOR exit nodes. |
Bug Fixes and Improvements
Bug Fixes
- Report Builder - Data Source Selection: We fixed a bug where customers were unable to select data sources in Report Builder.
- Organization Editing - Invalid Domain: We fixed a bug where organizations with an invalid or missing domain entry could not be updated in the Blumira application, and improved the error message when this condition occurs.
- Agent Seat Count: We fixed an error that occurred when updating the agent seat count on organizations with no allocated group seats.
Improvements
- HTTP Ingestion - General Availability: HTTP Ingestion is now available across all supported license tiers. Customers can configure HTTP-based log source integrations directly in Settings to send logs from compatible vendors to Blumira without deploying an agent.
- PSA Note Sync - Author Attribution: Notes synced from PSA platforms to Blumira now display the PSA user who wrote the note as the author, rather than a generic Blumira system entry.
- Zscaler Client Connector: Blumira now parses firewall logs from Zscaler Client Connector, adding support for organizations using Zscaler's network security platform.
- CEF Log Parsing: Improved parsing now captures previously missing key fields in CEF (Common Event Format) log sources, enabling more complete filtering, reporting, and investigation for CEF-based integrations.
May 2026 Release Notes
In case you missed the May updates, you can find and review those notes here.
Amanda Berlin
Amanda Berlin is the Senior Product Manager of Cybersecurity at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An...
More from the blog
View All PostsSubscribe to email updates
Stay up-to-date on what's happening at this blog and get additional content about the benefits of subscribing.