- Product
Product Overview
Sophisticated security with unmatched simplicityCloud SIEM
Pre-configured detections across your environmentHoneypots
Deception technology to detect lateral movementEndpoint Visibility
Real-time monitoring with added detection & responseSecurity Reports
Data visualizations, compliance reports, and executive summariesAutomated Response
Detect, prioritize, and neutralize threats around the clockIntegrations
Cloud, on-prem, and open API connectionsXDR Platform
A complete view to identify risk, and things operational
- Pricing
- Why Blumira
Why Blumira
The Security Operations platform IT teams loveWatch A Demo
See Blumira in action and how it builds operational resilienceUse Cases
A unified security solution for every challengePricing
Unlimited data and predictable pricing structureCompany
Our human-centered approach to cybersecurityCompare Blumira
Find out how Blumira stacks up to similar security toolsIntegrations
Cloud, on-prem, and open API connectionsCustomer Stories
Learn how others like you found success with Blumira
- Solutions
- Partners
- Resources
Welcome to our weekly security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we've made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we'll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you're lucky.
Introduction and Overview
I know I've been slacking with the updates!! Our IDE Team has been cranking through fixes and updates to many detections, making them higher fidelity, faster, and adding even more context. I'll save the massive amount of updates they've worked on over the past months for our monthly updates, and offer you up all of our net new detections below!
New Detections
This update introduces:
Entra ID: User Access Administrator Role Granted at Root Scope
New detection to track root permission assignments in Azure.
- Status: Enabled
- Log type requirement: Azure Directory Audit
Google Workspace: Login from Outside of Canada
New operational detection for our Canadian friends.
- Status: Disabled
- Log type requirement: Google Workspace
Microsoft 365: Authentication Outside of Australia
New detection for authentications outside of the region.
- Status: Disabled
- Log type requirement: Azure Directory Audit
Microsoft 365: User Session Token Anomaly
It's the token theft one! This detection is aiming to uncover session anomalies and deviations in normal behavior for potential token theft, cookie theft, and AiTM patterns. This is when the same session ID from the cookie/token is used across multiple devices, locations, IPs, etc. We are trying to uncover the cases where a cookie or token was stolen and replayed in order to gain access that is the real end-game goal. It surfaces potential accounts that are deviating from their normal behavior mathematically. A new anomaly based detection that aims to uncover
- Status: Disabled
- Log type requirement: onelogin
OneLogin: User Suspended
An operational detection to alert responders to when a user in OneLogin is suspended.
- Status: Disabled
- Log type requirement: onelogin
SonicWall: 5+ Login Failures in 15 Minutes Followed by Successful Authentication
Surface successful logins to Sonicwall devices after multiple repeated failures.
- Status: Enabled
- Log type requirement: Sonicwall Traffic
Suspicious Double Extension File Execution
Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe. Threat actors have used this to disguise their malicious exe files as a different file type.
- Status: Enabled
- Log type requirement: Windows, Sysmon, or Blumira Agent for Windows
- More information: DarkGate Loader Malware Delivered via Microsoft Teams
Suspicious Execution of qwinsta.EXE
Monitors for suspicious execution of the qwinsta utility. Specifically for instances where it is launched via PowerShell remoting or the output is being redirected.
- Status: Enabled
- Log type requirement: Windows, Sysmon, or Blumira Agent for Windows
- More information: QakBot technical analysis
Suspicious Double Extension Shortcut (.LNK) File
Monitors for file creation events associated with shortcut (.LNK) files with a double extension.
- Status: Disabled
- Log type requirement: Windows, Sysmon, or Blumira Agent for Windows
- More information: lnk2pwn
New Reports
Microsoft 365 - Application Consents Granted Previous 30 Days
Deprecated Detections
DFIR Report: Qbot Tier 1 Endpoint Command and Control
No longer supported by DFIR Report
SolarWinds Orion Sunburst Exploitation Attempt
Amanda Berlin
Amanda Berlin is the Senior Product Manager of Cybersecurity at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An...
More from the blog
View All Posts
Product Updates
11 min read
| August 5, 2025
July 2025 Product Releases
Read More
Compliance Security Frameworks and Insurance
7 min read
| July 17, 2025
Blumira's Compliance Reports: Making Audit Assessments a Breeze
Read More
Product Updates
5 min read
| July 15, 2025
Streamline Your SecOps with the New Blumira API
Read MoreSubscribe to email updates
Stay up-to-date on what's happening at this blog and get additional content about the benefits of subscribing.