April 5, 2024

March 2024 Releases

Summary

Last month, we delivered our fastest and easiest way to experience the best of our XDR Platform Edition in a 30-day trial. Plus, we added new cloud integrations for Microsoft GCC High and Google Cloud Platform.

Feature and Platform Updates

In-App XDR Trials: Organizations on Blumira’s Free SIEM Edition can now start a free trial of XDR Platform Edition directly in the app to immediately begin seeing the enhanced security benefits of XDR. Within minutes, you can experience the simplicity of deploying Blumira Agent for endpoint visibility and automated response and level up your security for the duration of the trial with 24/7 Security Operations support and broad detection coverage with additional Cloud Connectors.
New Cloud Connectors:
- Microsoft GCC High: The Microsoft 365 Cloud Connector integration now supports logging and detections for GCC High tenants. This new integration is available to all Blumira editions.
- Google Cloud Platform: This new cloud integration currently supports ingestion of GCP Audit logs. We will add parsing and detections in a future release.
- Carbon Black Cloud Endpoint Standard: This cloud integration includes API and parsing updates and will replace the original sensor-based integration, which relies on an outdated API that is being retired by Carbon Black in July 2024.
Detection Rule Management: Free SIEM Edition users can now edit the default setting (enabled or disabled) for the real-time detection rules available to their organizations.

Detection Updates

Log Type	Detection Rule Name	Details
Blumira Agent macOS Endpoint Logs	NEW - macOS: Suspicious Plutil Activity	This new P3 detection rule alerts when the plutil utility runs on a Mac device. Threat actors have been observed leveraging plutil to modify .plist files in an attempt to modify application behavior, redirect to malicious applications, and evade defensive measures.
Google Workspace	NEW - Google Workspace: Domain Data Export Initiated	This new P2 detection rule alerts when a user initiates a domain data export, which can be a normal business operation to migrate to another Workspace tenant or cloud service, but some threat actors also use this method to exfiltrate data.
Microsoft365 Azure AD	NEW - Microsoft 365: Hidden Privileged Role Assignment	This new P2 detection rule alerts when a user assigns another user to one of the following privileged roles in Entra or Microsoft 365: Directory Synchronization Accounts Partner Tier 1 Support Partner Tier 2 Support These very powerful and purposefully hard-to-find roles are not typically used; even Microsoft suggests not using these roles, which makes this assignment highly suspicious.
Mimecast	NEW - Mimecast: User Released a Phishing Message from Quarantine	This new P3 detection rule alerts when a user successfully releases a message categorized as phishing from Mimecast.
Multi-Source	NEW - JavaScript Executed From Unusual Directory	This new P2 detection rule alerts when a user executes a JavaScript file from an unusual location, such as User or Public User directory folders (Downloads, Desktop, etc.). Some threat actors, such as SocGholish, use this method to establish command and control access.
Multi-Source	NEW - Remote Access Tool: RustDesk	This new P3 detection rule alerts when a RustDesk process is observed on a device. RustDesk is a free and open source remote access tool used to remotely manage and support endpoints, but it has also been used by threat actors to establish remote connections to victim endpoints.
Azure Signin	Azure AD: Anomalous Agent Sign-In Activity	This existing detection’s evidence now includes `action_details` and `access_granted` to help users investigate the activity.
Microsoft365 Azure AD	Microsoft 365: Impossible Travel AAD Login	This existing detection’s evidence now includes agent information to help users investigate the activity.
SonicWall Traffic	SonicWall: Login Failure	This existing detection’s analysis and evidence now include additional details to help users investigate the activity.