This month’s releases include new detections for high-risk threats such as CVE-2025-59287 exploitation, EDR-Freeze techniques, SYN floods, brute-force attempts, and internal UniFi alerts. We’ve also introduced automatic removal of inactive Blumira Agents for better license efficiency, and added parser support for Checkpoint Harmony Email Security. Platform improvements include enhanced evidence table customization, refined detection logic for Impossible Travel, and several bug fixes across reporting, API access, and threat feed handling.
Feature and Platform Updates
Auto-Deletion of Inactive Blumira Agents: You can now configure Blumira Agent endpoint keys to automatically remove inactive devices. This is beneficial for many environments that use VDI or have other situations where they would like to automatically cull endpoints to reuse agent licenses more efficiently.
Checkpoint Harmony Email Security Parser: A new parser has been released to support Checkpoint Harmony Email Security.
Detection Updates
| Log Type |
Details |
| JumpCloud |
NEW - JumpCloud: Global Administrator Role Granted
This detection rule detects when someone assigns a JumpCloud user the Administrator or Administrator with Billing role.
Default state: Enabled |
| JumpCloud |
NEW - JumpCloud: Impossible Travel
This detection rule detects when a JumpCloud user exhibits behavior consistent with impossible travel, where successful logins occur from geographically distant locations within a timeframe that would require travel speeds exceeding 500 MPH. Impossible travel refers to logins or access attempts that originate from different geographic locations within an unrealistically short timeframe, indicating potential malicious activity.
Default state: Enabled
|
| Sonicwall |
NEW - Sonicwall: IP Spoof Alert
This detection rule detects when a SonicWall firewall has generated numerous, consistent IP spoof alerts within a short period of time. This might be indicative of malicious attempts to access a network, but can also result from bad network or VPN routes.
Default state: Disabled
|
| Sonicwall |
NEW - Sonicwall: SYN Flood Alert
This detection rule detects a buildup of TCP SYN requests that are not followed by responses from the requesting host. This behavior is a common indicator of a SYN Flood attack, a type of denial-of-service (DoS) attack that aims to exhaust server resources and prevent legitimate requests.
Default state: Disabled
|
| Ubiquiti |
NEW - Ubiquiti: UniFi Threat Detected and Blocked from Internal
This detection rule triggers when a Ubiquiti UniFi threat signature identifies and blocks suspicious activity originating from within the internal network. This may indicate a compromised internal endpoint and should be investigated.
Default state: Enabled
|
| Windows |
NEW - Potential Brute Force - 4625 & 4771
This detection rule detects potential brute-force attacks based on a high volume of login failures in a short timeframe. This rule triggers when 300 or more failed login events (event IDs 4625 and 4771) are observed within a 12-minute window for a single user account from a single source.
Default state: Enabled
|
| Windows |
NEW - Potential EDR-Freeze Isolation Pattern
This detection rule detects log patterns consistent with EDR-Freeze exploitation, a technique that uses WERFaultSecure.exe to isolate and impair endpoint detection and response (EDR) tools such as Microsoft Defender, SentinelOne, and CrowdStrike. This method can disrupt endpoint visibility and weaken defensive capabilities.
Default state: Enabled
|
| Windows |
NEW - PUA: Wireshark Network Protocol Analyzer
This detection rule detects the installation or execution of Wireshark, a widely-used network protocol analyzer used to capture and inspect network traffic in real time. While commonly used by IT and security professionals for legitimate purposes, Wireshark can also be leveraged by threat actors to intercept sensitive data, capture credentials, analyze communications, and perform internal reconnaissance after a compromise.
Default state: Disabled
|
| Windows |
NEW - Suspicious Shell Execution from WSUS Service
This detection rule identifies instances where cmd.exe or PowerShell spawns from the Windows Server Update Services (WSUS) service. This behavior is a known indicator of CVE-2025-59287, a critical unauthenticated remote code execution vulnerability in WSUS that allows attackers to execute arbitrary commands with system privileges.
Default state: Enabled
|
| 1Password |
UPDATE - 1Password: Impossible Travel Activity
Detection logic now watches for specific and impossible speed between login events rather than relying on a flat distance threshold. This improves accuracy in detecting suspicious travel across all distances.
|
| JumpCloud |
UPDATE - JumpCloud: Delete User
Updated to reflect new log parsing logic for more reliable detection.
|
| JumpCloud |
UPDATE - JumpCloud: Create User
Updated to reflect new log parsing logic for more reliable detection.
|
| Microsoft 365 |
UPDATE - Microsoft 365: Enabling of Forwarding Setting to External Domain
Updated to account for log changes from Microsoft for added accuracy.
|
Bug Fixes
- MSP Portal Accounts Page: We fixed an issue that was preventing some columns on the Accounts page from being sorted correctly.
- Sub-Account Visibility: We improved how sub-accounts are displayed when an MSP admin may not have access to the account.
- User Management in MSP Portal: We resolved an issue that was preventing MSPs from successfully adding or removing users from sub-accounts.
- Dynamic Blocklists: We fixed a bug that was causing external threat feed entries to override manual allowlist entries in Dynamic Blocklists, which was leading to allowed objects being blocked.
- Regex Filtering: Regex can now be used to filter the info field in detection filters.
- API in Automate Edition: We fixed an issue that was preventing the Blumira API page from displaying for customers on Automate edition.
Improvements
- Finding Comments: The name of the person who wrote a comment on a finding is now saved with the comment for better tracking and transparency.
- Matched Evidence Table Improvements:
- In the evidence table of a finding, if a cell’s content exceeds 6 lines, it will be truncated to reduce the space within the table, and users can resize the column to view the additional content.
- Users can now choose which columns to show or hide so they can focus on the exact data they want to view in the table.
- Palo Alto Cortex Reporting: The message field is now available for Palo Alto Cortex logs in Report Builder.
- Azure General Reporting: Default fields are now available for Azure General logs in Report Builder.
October 2025 Release Notes
In case you missed the October updates, you can find and review those notes here.
