- Product
Product Overview
Sophisticated security with unmatched simplicityCloud SIEM
Pre-configured detections across your environmentHoneypots
Deception technology to detect lateral movementEndpoint Visibility
Real-time monitoring with added detection & responseSecurity Reports
Data visualizations, compliance reports, and executive summariesAutomated Response
Detect, prioritize, and neutralize threats around the clockIntegrations
Cloud, on-prem, and open API connectionsXDR Platform
A complete view to identify risk, and things operational
- Pricing
- Why Blumira
Why Blumira
The Security Operations platform IT teams loveWatch A Demo
See Blumira in action and how it builds operational resilienceUse Cases
A unified security solution for every challengePricing
Unlimited data and predictable pricing structureCompany
Our human-centered approach to cybersecurityCompare Blumira
Find out how Blumira stacks up to similar security toolsIntegrations
Cloud, on-prem, and open API connectionsCustomer Stories
Learn how others like you found success with Blumira
- Solutions
- Partners
- Resources
Summary
In September, we introduced new system-level notifications to warn users when a Cloud Connector has stopped logging so they can fix the problem as soon as possible. We also packed 14 new detection rules into our detection suite, along with even more threat intelligence to boost your security coverage. Check out the details below!
Feature and Platform Updates
-
New System Notifications: Cloud Connector health notifications are now available to users in all Blumira editions. If enabled, you will be notified when your Cloud Connectors encounter a persisting error status or cannot complete their initial setup so you can take action to fix the connector and resume logging. You can edit your personal settings on the Notification Settings page. Learn more about the available options here.
More Threat Feed Data: We’ve updated the threat feeds we use to provide you with threat alerts and blocking capabilities, adding DFIR Report intelligence that covers these command and control frameworks: DCRAT, AsyncRAT, Viper, PupyRAT, Havoc, and More_eggs.
New Global Report: “Microsoft 365 - Global Admin Role Assignments” is a new global report for users looking to track net new Global Admin role assignments in Microsoft 365.
Detection Updates
Log Type | Detection Details |
---|---|
All traffic data types |
NEW - DFIR Report: AsyncRAT Command and Control This command and control traffic is likely related to AsyncRAT infrastructure. AsyncRAT is a remote access trojan. For more information about AsyncRAT, see the GitHub repository. Default state: Enabled |
All traffic data types |
NEW - DFIR Report: DcRAT Command and Control This command and control traffic is likely related to DcRAT infrastructure. DcRAT is a remote access trojan known for initial access operations. For more information about DcRAT, see the GitHub repository or this post from Blackberry. Default state: Enabled |
All traffic data types |
NEW - DFIR Report: Havoc Command and Control This command and control traffic is likely related to Havoc infrastructure. Havoc is a command and control framework. For more information about Havoc, see the GitHub repository. Default state: Enabled |
All traffic data types |
NEW - DFIR Report: More_eggs Command and Control This command and control traffic is likely related to More_eggs infrastructure. More_eggs is a JavaScript backdoor trojan. For more information about More_eggs, see this post from MITRE. Default state: Enabled |
All traffic data types |
NEW - DFIR Report: Pupy Command and Control This command and control traffic is likely related to Pupy infrastructure. Pupy is a free and open-source remote access tool and post-exploitation framework. For more information about Pupy, see the GitHub repository or this post from AHN Labs. Default state: Enabled |
All traffic data types |
NEW - DFIR Report: Viper Command and Control This command and control traffic is likely related to Viper infrastructure. Viper is a free and open-source modular offensive security multi-tool, similar to Metasploit, that can be used across stages in intrusions including command and control, discovery, lateral movement, and impact. For more information about DcRAT, see the GitHub repository. Default state: Enabled |
Azure AD |
NEW - Azure: SQL Firewall Rule Created Because it's nice to know when your Azure tenant may be opening SQL up! Default state: Disabled; must be enabled by an administrator |
Azure AD |
NEW - Azure: SQL Firewall Rule Deleted Probably not as risky of a detection as “Firewall Rule Created,” but it's nice to have parity. 😉 Default state: Disabled; must be enabled by an administrator |
GCP Cloud Audit |
NEW - Google Cloud Platform: API Key Generated A user has created or requested the creation of an API key within your Google Cloud Platform (GCP) tenant. This can be part of the normal admin or operational lifecycle within GCP. Threat actors have been increasingly observed using API keys to maintain persistence within cloud environments. Default state: Enabled |
GCP Cloud Audit |
NEW - Google Cloud Platform: Secret Created in Secret Manager A user in your Google Cloud Platform tenant has created or requested to create a new secret. Default state: Disabled; must be enabled by an administrator |
MS365 AD |
NEW - Microsoft 365: SsoArtifactRevoked Failed Login Detects when a user has failed to log in to Microsoft 365 services and the resultant error indicates the session was denied due to a bad password (either expired or recently changed). These events can also be related to conditional access policies denying a login. We have seen evidence of this activity in Business Email Compromise during our research. Default state: Disabled; must be enabled by an administrator |
Windows or Blumira Agent |
NEW - ESX Admin Group Creation or Modification A domain group named "ESX Admins" has been created or modified in Active Directory. This detection identifies the following activities:
While this may be legitimate administrative activity, it should still be accounted for. Threat actors have been observed taking advantage of a vulnerability using these groups via CVE-2024-37085. Default state: Enabled |
Windows or Blumira Agent |
NEW - Suspicious Windows Defender Registry Key Tampering via Reg.exe Administrators and administrative software may modify Windows Defender registry keys while installing antivirus. Threat actors may tamper with Windows Defender registry keys to attempt to disable protection and detection features during adversarial activity and malware deployment. For more information, see Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours. Default state: Enabled |
Windows, Blumira Agent for Windows, Blumira Agent for Linux, Blumira Agent for Mac |
NEW - Network Tunneling Tool: Chisel Chisel is a free and open source network tunneling tool that can be used to establish tunnels for various protocols over HTTP for legitimate business uses like enabling remote access. These tools can also be used to bypass network security controls, obscure malicious activities, or exfiltrate sensitive data if used by threat actors who have gained unauthorized access to a system or network. To learn more, see the following resources: Default state: Enabled |
August Release Notes
In case you missed the August updates, you can find and review those notes here.
More from the blog
View All Posts
Product Updates
11 min read
| August 5, 2025
July 2025 Product Releases
Read More
Compliance Security Frameworks and Insurance
7 min read
| July 17, 2025
Blumira's Compliance Reports: Making Audit Assessments a Breeze
Read More
Product Updates
5 min read
| July 15, 2025
Streamline Your SecOps with the New Blumira API
Read MoreSubscribe to email updates
Stay up-to-date on what's happening at this blog and get additional content about the benefits of subscribing.