Skip to content
    April 5, 2024

    March 2024 Releases

    Summary

    Last month, we delivered our fastest and easiest way to experience the best of our XDR Platform Edition in a 30-day trial. Plus, we added new cloud integrations for Microsoft GCC High and Google Cloud Platform.

    Feature and Platform Updates

    • In-App XDR Trials: Organizations on Blumira’s Free SIEM Edition can now start a free trial of XDR Platform Edition directly in the app to immediately begin seeing the enhanced security benefits of XDR. Within minutes, you can experience the simplicity of deploying Blumira Agent for endpoint visibility and automated response and level up your security for the duration of the trial with 24/7 Security Operations support and broad detection coverage with additional Cloud Connectors.

    • New Cloud Connectors:

      • Microsoft GCC High: The Microsoft 365 Cloud Connector integration now supports logging and detections for GCC High tenants. This new integration is available to all Blumira editions.

      • Google Cloud Platform: This new cloud integration currently supports ingestion of GCP Audit logs. We will add parsing and detections in a future release.

      • Carbon Black Cloud Endpoint Standard: This cloud integration includes API and parsing updates and will replace the original sensor-based integration, which relies on an outdated API that is being retired by Carbon Black in July 2024.

    • Detection Rule Management: Free SIEM Edition users can now edit the default setting (enabled or disabled) for the real-time detection rules available to their organizations.

    Detection Updates

    Log Type

    Detection Rule Name

    Details

    Blumira Agent macOS Endpoint Logs

    NEW - macOS: Suspicious Plutil Activity

    This new P3 detection rule alerts when the plutil utility runs on a Mac device. Threat actors have been observed leveraging plutil to modify .plist files in an attempt to modify application behavior, redirect to malicious applications, and evade defensive measures.

    Google Workspace

    NEW - Google Workspace: Domain Data Export Initiated

    This new P2 detection rule alerts when a user initiates a domain data export, which can be a normal business operation to migrate to another Workspace tenant or cloud service, but some threat actors also use this method to exfiltrate data.

    Microsoft365 Azure AD

    NEW - Microsoft 365: Hidden Privileged Role Assignment

    This new P2 detection rule alerts when a user assigns another user to one of the following privileged roles in Entra or Microsoft 365:

    • Directory Synchronization Accounts

    • Partner Tier 1 Support

    • Partner Tier 2 Support

    These very powerful and purposefully hard-to-find roles are not typically used; even Microsoft suggests not using these roles, which makes this assignment highly suspicious.

    Mimecast

    NEW - Mimecast: User Released a Phishing Message from Quarantine

    This new P3 detection rule alerts when a user successfully releases a message categorized as phishing from Mimecast.

    Multi-Source

    NEW - JavaScript Executed From Unusual Directory

    This new P2 detection rule alerts when a user executes a JavaScript file from an unusual location, such as User or Public User directory folders (Downloads, Desktop, etc.). Some threat actors, such as SocGholish, use this method to establish command and control access.

    Multi-Source

    NEW - Remote Access Tool: RustDesk

    This new P3 detection rule alerts when a RustDesk process is observed on a device. RustDesk is a free and open source remote access tool used to remotely manage and support endpoints, but it has also been used by threat actors to establish remote connections to victim endpoints.

    Azure Signin

    Azure AD: Anomalous Agent Sign-In Activity

    This existing detection’s evidence now includes action_details and access_granted to help users investigate the activity.

    Microsoft365 Azure AD

    Microsoft 365: Impossible Travel AAD Login

    This existing detection’s evidence now includes agent information to help users investigate the activity.

    SonicWall Traffic

    SonicWall: Login Failure

    This existing detection’s analysis and evidence now include additional details to help users investigate the activity.

    Bug Fixes and Improvements

    We released an improvement to reduce the frequency of notifications sent when an organization exceeds its Blumira Agent limit.

    February Highlights

    In case you missed the February updates, you can find and review those notes here.

    Tag(s): Product Updates , Blog

    More from the blog

    View All Posts