This month, Blumira launched SOC Auto-Focus, an AI-powered investigation tool that enriches findings and give teams greater context so that they can respond to threats faster. We also added several new detections to improve visibility into VPN abuse, eDiscovery misuse, GPO changes, VM creation, and suspicious file activity across Microsoft 365, Windows, VMware, Sophos, and more. Updates to existing rules further refined accuracy and reduced false positives. Additional improvements to the MSP Portal strengthened user management, data visibility, and overall usability.
Feature and Platform Updates
SOC Auto-Focus - Now Generally Available
Blumira’s SOC Auto-Focus is now fully launched and available to all customers. This powerful feature uses AI-powered analysis to enrich findings with plain-language summaries and clear recommended actions to help your team accelerate investigations and respond faster.
SOC Auto-Focus gives your team:
- A plain-language summary that highlights key details for instant context
- Criticality, response timeframe, and confidence score to help prioritize findings
- Step-by-step investigation and remediation guidance directly in the Findings page
- Clear explanations for each security recommendation to help analysts learn as they respond
Learn more about how SOC Auto-Focus works and how to get started in our feature announcement.
Detection Updates
| Log Type |
Details |
| Microsoft 365 |
NEW - Microsoft 365: Purview eDiscovery Search or Export
This detection identifies when a user initiates an eDiscovery search or export in Microsoft 365. This powerful feature can be used for legal compliance, but also for unauthorized data exfiltration.
Default state: Disabled |
| Palo Alto GlobalProtect |
NEW - Palo Alto GlobalProtect: Password Spraying Behavior
This detection identifies potential password spraying attacks by identifying failed authentication attempts across multiple user accounts from a single source.
Default state: Disabled
|
| Sophos XG |
NEW - Sophos: Excessive VPN Login Failures
This detection identifies a high rate of failed VPN login attempts from a single IP address reported by your Sophos firewall. Multiple rapid failed login attempts across different usernames may indicate credential stuffing or brute-force activity targeting your VPN.
Default state: Enabled
|
| VMware |
NEW - VMware: VM Creation
This detection rule monitors for new virtual machine creation events within a VMware environment.
Default state: Disabled
|
| Windows |
NEW - Esentutl File Copy Operation
This new detection rule monitors for use of the Windows utility esentutl.exe to copy files. While legitimate, this tool is often abused by threat actors to exfiltrate data or move files undetected.
Default state: Enabled
|
| Windows |
NEW - Modification to Group Policy Objects
This rule monitors for group policy object (GPO) modifications, such as changes to policy links, added values, or deletions. While GPO modifications are common during routine system administration, this behavior can indicate persistence or privilege abuse by attackers.
Default state: Disabled
|
Microsoft 365
|
UPDATE - Microsoft 365: Impossible Travel AAD Login (All distance versions)
All versions of this detection rule now include device name and device ID fields to provide additional context during investigations. When available, this information gives responders useful context during investigation and remediation. |
| Microsoft 365 |
UPDATE - Microsoft 365: SsoArtifactRevoked Failed Login
This detection logic has been updated to reflect changes in Microsoft log formatting.
|
| OSSEC |
UPDATE - MS SQL Server Logon Failure
We updated this detection to account for recent changes in OSSEC rule numbers to ensure continued accuracy.
|
| OSSEC |
UPDATE - TCP/445 Connection from Public IP
We updated the title, analysis, and workflow of this rule for clarity when working with a finding. This detection was previously titled “SMB Connection from Public IP.” Similar improvements are planned for related detections in this series. |
Bug Fixes
- MSP Portal Accounts Page: We fixed an issue that was preventing some columns on the Accounts page from being sorted correctly.
- Sub-Account Visibility: We improved how sub-accounts are displayed when an MSP admin may not have access to the account.
- User Management in MSP Portal: We resolved an issue that was preventing MSPs from successfully adding or removing users from sub-accounts.
Improvements
- Settings Visibility: Administrators can now see the following read-only settings for their accounts on the Organizations page (Settings > Organizations):
- Data Retention is the number of days of historical log data that Blumira stores for the account
- User Count is the number of billable employees for the organization
September 2025 Release Notes
In case you missed the September updates, you can find and review those notes here.
