Product integrations can vary based on if the product uses direct Syslog output or an API (application programming interface). In the Blumira platform, we have what we call a Logger module which ingests all Syslog output from devices that use dedicated syslog. We also have many different APIs for products that don’t use Syslog output. Our development team is constantly working on building new API-based modules to ingest new data types we see from our new customers.
Some of these APIs aren’t always straightforward as to what is ingested and what is left out (looking at you, Microsoft). I wanted to share some examples of integrations that Blumira’s Security Operations team helps with when we onboard a new customer or when an existing customer purchases a new product that requires a new API to be built.
Azure Event Hub Expertise
We’ve spent a lot of time figuring out what data flows through Microsoft Azure Event Hub and have had to deal with on-the-fly changes from Microsoft which we monitor for periodically. In the screenshot below, you can see how we can provide integration details and what’s needed from your team to send Azure Event Hub logs to the Blumira sensor for automated detection and response.
Continued evidence that Microsoft needs to help out us end-users with data labeling!
We had a customer set up our MS Cloud App Security module which you’d think MS Defender ATP events could ingest. Unfortunately, Microsoft thinks otherwise! We advised this user to install our MS Azure Event Hub module to get those events. Our MS Cloud App Security module applies to Office 365 ATP and MS Cloud Security products.
You may have noticed a pattern with Microsoft data ingestion. We have worked hard to make this as easy as possible for our customers to pass us all relevant data. We have a write-up which shows all of our current MS modules and what products apply to each module.
Windows Log Flow Using NXlog and Flowmira
We use an open-source tool known as NXLog Community Edition for our Windows Endpoints. We gather a plethora of data from the hosts using our enhanced configuration Flowmira on top. Flowmira was created by our Sr. Incident Detection Engineer Amanda Berlin. This agent with the Flowmira configuration allows us to see what events are being streamed into the Windows logs on that host.
We help customers get their Windows data flowing by pointing them to our robust NXLog onboarding how-to, while also assisting the customer where needed! Amanda Berlin has created a default configuration template which looks for many interesting security events that may not be obvious to an end-user looking at the Windows security log on their own.
Our baseline configuration detects domain admin changes, account lockouts, Mimikatz (a hacker tool), password spraying activity and many more…automatically!
Our sales team has been an amazing help at guiding our customers towards what is needed on the module portion of the onboarding process. Most of the tasks shown in this article are handled in the presales process. Although our technical sales team is top-notch, the Security Operations team still likes to audit our customers after the onboarding process to make sure all possible data is feeding into the Blumira sensor. Most, if not all logs are being sent to the sensor on Day 1 of onboarding!
In conclusion, please reach out to our team if you have any questions about the data we actively ingest, what we’re working on, and what you have in our tech stack! We’re happy to help get any data flowing to your Blumira sensor.