- Product
   - Product Overview Sophisticated security with unmatched simplicity
- Cloud SIEM Pre-configured detections across your environment
- Honeypots Deception technology to detect lateral movement
- Endpoint Visibility Real-time monitoring with added detection & response
- Security Reports Data visualizations, compliance reports, and executive summaries
- Automated Response Detect, prioritize, and neutralize threats around the clock
- Integrations Cloud, on-prem, and open API connections
- XDR Platform A complete view to identify risk, and things operational
 
- Pricing
- Why Blumira
   - Why Blumira The Security Operations platform IT teams love
- Watch A Demo See Blumira in action and how it builds operational resilience
- Use Cases A unified security solution for every challenge
- Pricing Unlimited data and predictable pricing structure
- Company Our human-centered approach to cybersecurity
- Compare Blumira Find out how Blumira stacks up to similar security tools
- Integrations Cloud, on-prem, and open API connections
- Customer Stories Learn how others like you found success with Blumira
 
- Solutions
- Partners
- Resources
While there are simply too many new detection rules added to Blumira’s platform to list, here are a few that highlight the recent work of our incident detection engineers that help with Windows and Office 365 cloud security monitoring.
We roll out new rules on a weekly cadence to keep up with evolving attacker techniques and security misconfigurations to make sure Blumira doesn’t miss any key findings in your environment. A detection is a security event that we’ve identified and alert our customers on to take action.
In each detection below, we include next steps for remediation and how it maps to the MITRE ATT&CK framework, a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
The following detections were written by Lead Incident Detection Engineer Amanda Berlin:
Detecting Cloud Security Misconfigurations
Detection: Office 365 – New or Modified Microsoft 365 Group
A new group in Office 365 has been created or modified. A Microsoft 365 group creates a group email to collaborate. You can also add Microsoft Teams for group conversations, files, and calendars. This type of finding helps you track any misconfigurations for auditing purposes.
Blumira’s playbook walks you through the next steps to verify if this was an approved Office 365 group addition or modification. If you aren’t able to correlate this group change with legitimate use, Blumira recommends locking the user account associated with this change and performing incident response steps to ensure no other unknown actions have been taken by this user.
See below for additional details on MITRE mapping, why it’s important to detect and how to get this detection.
Detection: Office 365 – New or Modified Distribution or Mail-Enabled Security Group
A new group in Office365 has been created or modified. A plain distribution group creates an email address for a group of people, while a mail-enabled security group is a distribution list that can also be used to control access to OneDrive and SharePoint. If it is a security group, it will be listed in evidence as that group type.
MITRE: T1136; Tactic: Persistence
Why it’s important to detect: An attacker could create an account to maintain access to targeted systems. In cloud environments, attackers may create accounts that only have access to specific services to reduce the chance of detection, according to MITRE.
How to get these detections: You can get these two detections by setting up Blumira’s Azure Event Hub and Microsoft Office 365 integrations to start collecting and analyzing logs for automated detection and response.
Detecting Windows Security Events & Misconfigurations
Detection: Suspicious PowerShell Command
Microsoft Defender for Endpoint (previously named Microsoft Defender for Endpoints) has detected a malicious PowerShell command on {devname}. To review the potentially malicious command, visit the Windows security center for more details. This type of tactic is commonly used by attackers to run malicious code, escalate permissions or move laterally throughout your network.
If this was not an approved administrative action, Blumira’s remediation guidance is to examine logs around the time of the PowerShell command execution, remove the device from the network (if possible), then perform internal incident response procedures.
MITRE: T1059.001, Tactic: Execution
Why it’s important to detect: PowerShell is a powerful command-line interface and scripting environment included in the Windows operating system. Attackers may abuse PowerShell commands and scripts to discover information, execute code and download and run executables from the internet, according to MITRE.
How to get these detections: You can get these detections by setting up Blumira’s Microsoft Defender for Endpoint integration to start collecting and analyzing logs for automated detection and response.
Detection: A Windows Security Group Was Created or Modified
There are two types of AD groups:
- Active Directory Security Groups. This type of group is used to provide access to resources (security principal). For example, you want to grant a specific group access to files on a network shared folder. To do this, you need to create a security group.
- Active Directory Distribution Groups. This type of group is used to create email distribution lists (usually used in Microsoft Exchange Server). An e-mail sent to such a group will reach all users (recipients) in the group. This type of group cannot be used to provide access to domain resources, because they are not security-enabled.
 If you are unaware of the creation/modification of this group, Blumira recommends locking the user account associated with this change and performing incident response steps to ensure no other unknown actions have been taken by this user.
MITRE: T1136; Tactic: Persistence
Why it’s important to detect: Attackers will create accounts to maintain access to targeted systems. Accounts may be created on the local system or within a domain or cloud tenant, according to MITRE. Detecting this type of activity can help identify security misconfigurations or help with auditing.
How to get these detections: You can get these detections by setting up Blumira’s Microsoft Windows integration to start collecting and analyzing logs for automated detection and response.
Related Resources
- Cloud Security Monitoring – Blumira’s cloud SIEM platform natively integrates with cloud services to provide cloud security monitoring and detect potential cloud threats.
- Microsoft Security – Easily detect and respond to Microsoft security risks, exploits and threats with Blumira’s cloud SIEM. Deploy in hours, without a security team.
See these detections in action by requesting a demo of Blumira’s platform or get a free trial and easily integrate with your Microsoft and cloud services for faster detection and response.
Thu Pham
Thu has over 15 years of experience in the information security and technology industries. Prior to joining Blumira, she held both content and product marketing roles at Duo Security, leading go-to-market (GTM) and messaging for the portfolio solution Cisco Zero Trust. She holds a bachelor of science degree in...
More from the blog
View All Posts 
    
                                     
             
            Customer Success Stories
                        
        
        
              
             5 min read
            
                | October 15, 2025
            
        
        Customer Story: NineStar Connect Cuts Alert Resolution Time in Half with SOC Auto-Focus
Read More 
    
                           
             
            Customer Success Stories
                    
        
        
              
             7 min read
            
                | September 16, 2025
            
        
        Customer Story: MTC Federal Credit Union
Read More 
    
                                     
             
            Security Trends and Info
                        
        
        
              
             9 min read
            
                | July 24, 2025
            
        
        Critical Microsoft SharePoint Server vulnerability allows unauthorized code execution
Read MoreSubscribe to email updates
Stay up-to-date on what's happening at this blog and get additional content about the benefits of subscribing.