fbpx
Share on:

Welcome to our weekly security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we’ve made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we’ll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you’re lucky.

Introduction and Overview

This week was all about you! Yes, you!

We currently have dedicated customer detection sprints that focus on bugs and requested detections. Sometimes those detections can turn into great detections for all! One practice we like to follow is to consistently strive to turn any custom detection creation into something that can benefit all Blumira customers that have a certain piece of technology. You’ll see examples of these below.

New Detections

This update introduces several new detections, including:

Top Secret

If you know, you know. You were one of the completed custom detections. 😁

Google Workspace: Domain Data Export Initiated

These events can be a part of a normal business operation to migrate to another Workspace tenant or cloud service like Microsoft 365. However, it has also been seen leveraged by Threat Actors in attempts to exfiltrate data from Workspace.

  • Status: Enabled
  • Log type requirement: Google Workspace/Gsuite

Microsoft 365: Hidden Privileged Role Assignment

The roles of “Directory Synchronization Accounts”, “Partner Tier 1 Support” and “Partner Tier 2 Support,” while not Global Administrators, are extremely powerful.

  • Directory Synchronization Accounts — Can add new owners and credentials to all service principals
  • Partner Tier 1 Support — Can add new owners/credentials to all app registrations and add owners/members to all non-role eligible security groups
  • Partner Tier 2 Support (The main topic of the referenced article)

Microsoft does not recommend their use in most scenarios. Directory Synchronization Accounts can be used by accounts that are involved with Azure AD Sync (AKA: Entra ID Connect), for normal business operations. For more information, click here.

  • Status: Enabled
  • Log type requirement: Microsoft 365 Azure AD

Mimecast: User Released a Phishing Message from Quarantine

When users release potential phishing messages, this can be the beginning of a long line of malicious actions from an attacker. Many times these phishing messages include links to spoofed websites that attempt to capture users credentials, trick users into running unwanted programs, or create elaborate fraud scenarios. This detection relies on Mimecast to flag the message as fishing and log when a user has successfully released it from quarantine into their inbox.

  • Status: Enabled
  • Log type requirement: Mimecast Release

IDE Content

Of course we’re going to sneak some of our other content into detection updates!

The Hedgehog Defense #2: Defend Against Automatically Mounted Disk Images

A great article written by our one and only Jake Ouellette about the ways to defend against automatic disk mounting.

# threat detection, threat response, threat detection and response, cybersecurity threats, cybersecurity maturity, Detection Engineering, Security Detection Update

Security news and stories right to your inbox!