In May, we released detection filter enhancements that expand which fields you can use to tune your detections and quiet the noise of alerts. We also added the option for non-MSP users to be notified when their Blumira Agent installation limit is exceeded so they can efficiently manage agent deployments. We also added seven new detection rules, including a new Microsoft 365 rule that helps identify potential attacker-in-the-middle, token theft, pass-the-cookie, or stolen cookie attacks.
Feature and Platform Updates
Mimecast API V2: We’ve upgraded our Mimecast Cloud Connector integration to use Mimecast API 2.0, due to the planned deprecation of API 1.0 by the end of 2025. Users who previously had a Mimecast Cloud Connector configured should upgrade to the newest version as soon as possible.
Agent Limit Notifications: Users in non-MSP accounts can now opt in to receive email notifications when their Blumira Agent installations exceed the maximum deployable limit for the account. This notification provides immediate awareness that a device cannot connect to Blumira and that attention is required in the account. Go to Notification Settings to enable, and learn more about managing and monitoring agent limits here.
Detection Updates
| Log Type |
Details |
| Microsoft 365 |
NEW - Microsoft 365: User Session Token Anomaly
This detection rule monitors for users displaying anomalous behaviors grouped by session IDs. It helps identify potential AiTM (Attacker-in-the-Middle), token theft, pass-the-cookie, or stolen cookie attacks.
Default state: Enabled |
| OneLogin |
NEW - OneLogin: User Suspended
This detection rule monitors for when users are disabled in OneLogin and identifies who performed the action.
Default state: Disabled |
| SonicWall |
NEW - SonicWall: 5+ Login Failures in 15 Minutes Followed by Successful Authentication
This detection rule monitors for multiple failed SonicWall admin interface login attempts followed by a successful logon.
Default state: Enabled |
Traffic
|
NEW - DFIR Report: Netsupport RAT Command and Control
This detection rule monitors for network traffic to IP addresses associated with Netsupport C2 endpoints.
Default state: Enabled |
NEW - DFIR Report: Pyramid Command and Control
This detection rule monitors for network traffic to IP addresses associated with Pyramid C2 endpoints.
Default state: Enabled |
NEW - DFIR Report: RemcosRAT Command and Control
This detection rule monitors for network traffic to IP addresses associated with RemcosRAT C2 endpoints.
Default state: Enabled |
NEW - DFIR Report: SecTopRat Command and Control
This detection rule monitors for network traffic to IP addresses associated with SecTopRat C2 endpoints.
Default state: Enabled |
| Cisco ASA |
UPDATE - Cisco ASA: ArcaneDoor IOC IP Addresses
This detection rule has been deprecated due to age. The data is no longer accurate or relevant.
|
| Duo |
UPDATE - DUO: High Number of MFA Requests
We updated the detection logic to account for stacking of similar logs, which was causing false positive findings.
|
| Linux |
UPDATE - Linux: User Added to Privileged Group
We reviewed and updated the detection logic to reduce false positives and improve overall accuracy.
|
| Microsoft 365 |
UPDATE - Microsoft 365 Alert Policy: Creation of Forwarding/Redirect Rule
We updated the analysis to account for Microsoft Purview UI changes.
|
Traffic
|
UPDATE - DFIR Report: Qbot Tier 1 Endpoint Command and Control
This detection rule has been deprecated due to age. The list is no longer being maintained by the DFIR Report team.
|
UPDATE - Multiple Public IP Connection Detections
We updated the following detections to exclude activity from safe external CGNAT IP addresses:
- SSH Connection from Public IP
- SMB Connection from Public IP
- RDP Connection from Public IP
- FTP Connection from Public IP
- Telnet Connection from Public IP |
| VMware vCenter |
UPDATE - VMware: VM Deletion
We tuned the detection to exclude false positives generated from querying a VMware database.
|
| Windows (Agent and NXLog) |
UPDATE - Clearing of Windows Event Log
We tuned the detection to account for Microsoft Exchange server logs that were causing false positives.
|
UPDATE - Suspicious Process Parents dllhost.exe/taskhost.exe
We updated the detection to reduce false positives from similar log events and to handle instances where the username is not reported.
|
| Windows |
UPDATE - Disabling of Windows Firewall
We updated the detection logic to account for changes in Microsoft logging. This update addresses true positive misses.
|
Bug Fixes and Improvements
Improvements
- Additional Timestamp for Real-Time Detections - We now display the timestamp_parsed field in the evidence table of real-time findings to show the difference between when a log is accepted and processed by Blumira and when the finding is generated.
- Expanded Detection Filter Fields - Detection filters now support array data types, allowing fields like
infoand additional_fieldsto be used when building filters.
- Expanded Parsed Fields - We added new parsed fields to enhance detection engineering efforts
- Google Workspace:
action_details,action_source,link
- Defender ATP:
NTDomain,UserPrincipalName,NetBiosName,CommandLine,OsPlatform
- Azure Audit Events: multiple fields added
- Azure WAF: multiple fields added
- JunOS: multiple fields added
- Palo Alto GlobalProtect: new parsed data type
- Faster Detection State Changes - Enabling and disabling detections now takes effect more quickly. Status updates now better reflect the true state, though a brief delay may still occur during changes.
- Microsoft 365: Forwarding Rule Activity Previous 30 Days - We updated this global report to more accurately reflect events surfaced by several related detections.
- Summary Rules for Ubiquiti and Cisco Firepower Threat Defense - We added summary rules to enable portions of these data sources to be used in Investigate.
- Table Performance Enhancements - We improved load times, pagination, and search performance on multiple tables across the application, including the following:
- Findings table on the Findings page
- Matched Evidence table on the Finding Details page
Bug Fixes
- Distinct Counts Display - We resolved an issue where the count column did not always appear when using advanced filters with "Apply distinct counts."
- Error Prevented on Findings Export - We fixed a scenario where an error could occur when exporting findings if distinct counts was enabled.
- Mass Resolve Display Update - We fixed a visual issue where findings appeared unresolved after using bulk resolve, even though the responder was correctly assigned.
- Comment Display Consistency - We corrected an issue where comments on findings would temporarily disappear after refreshing the page.
- XDR Trial Detections - We fixed a problem that was preventing windowed detection rules from deploying to accounts on 30-day XDR Trials.
- Improved Text Wrapping in Evidence Fields - We adjusted evidence fields to better handle longer text, reducing unnecessary scrolling.
- Consistent Font Styling in Analysis Sections - We standardized font display for a cleaner, more consistent presentation.
April 2025 Release Notes
In case you missed the April updates, you can find and review those notes here.
