Getting Started

Add robust security detections on your environment with Blumira. After configuring log sources to point at Blumira, our security operations team takes care of tedious SIEM related tasks, such as: log parsing, data normalization, reporting, detection rules, and more.

1) Activate Your Blumira Account

Once your account is created, check your inbox for your account verification email. Simply follow the steps outlined in the email to get logged in to https://app.blumira.com.

Now that you’re logged into your account, getting started takes only a few minutes. Follow the steps below to begin:

2) Set Up a Cloud Connector

Cloud Connectors allow for immediate log collection to the Blumira cloud via API: https://www.blumira.com/cloud-connectors

Integrations currently available with Cloud Connectors:

• Microsoft 365
• Duo Security
• AWS
• SentinelOne

Note – If you are on the Free, M365, or Cloud edition, you can skip to “What to Expect” below. If you are on the Advanced edition, you will want to continue to step 3 to set up a Blumira Sensor to ingest Windows logs, Firewall logs, and many other integrations which require a Blumira sensor (listed on www.blumira.com/integrations). Any integration supported via a Cloud Connector does NOT require a sensor.

3) Set Up a Blumira Sensor Host

Set up an Ubuntu host that will be used for the Blumira Sensor (used to connect to services and collect your logs) using the following instructions: https://www.blumira.com/integration/blumira-sensor-deployment

Suggested Requirements for Sensor Host:

• 4 CPUs
• 4 GB of memory
• 200 GB of storage
• Static IP address assignment

4) Create a Blumira Sensor

From the Blumira console https://app.blumira.com, create a Blumira sensor by completing the following steps:

• Click Settings on the left menu
• Next click the ADD NEW SENSOR button.
• Enter a name for the sensor.
• Provide additional details about the sensor’s use case in the optional Description field. (Optional)
• Use the Location dropdown to choose where the sensor resides.

Now click Install and within 5 minutes, you will receive an email with the script that is used to set up your sensor’s environment.

5) Activate the Blumira Sensor

Log in to your sensor via SSH and then copy and paste the script provided on the sensor page, or delivered to your email, into your Blumira host sensor server’s console to allow the automatic setup of your sensor’s environment. This process takes just a few moments to complete.

6) Add New Integrations

The final step is to configure your new integrations, log sources and modules.
Specific integration steps can be found in our documentation pages: https://blumira.com/integrations.

Below is a prioritized list of commonly-used integrations:

• Honeypot: Blumira Honeypot Module
• Firewalls: Meraki, Cisco ASA, Palo Alto NGFW, Cisco FTD, Fortinet, Checkpoint, Sonicwall, Sophos, WatchGuard
• Servers: Poshim – Automated Windows Log Collection Agent, Windows Servers, Linux Servers
• Cloud Infrastructure: Azure AD, Cisco Umbrella, (For AWS, See Cloud Connectors)
• Endpoint Detection: Crowdstrike, Carbon Black, Cylance, Sophos, Microsoft Defender for Endpoint

What to Expect

Once logs are flowing up to Blumira, detection rules can be enabled to identify activity and alert your team. We have many default rules that can be added, however, you may also request customization by contacting our Security Operations team. Let us know what integrations you’ve configured so we can enable the appropriate detection rules.

Need an IP to be added to an allow list to limit false alerts when you have scheduled network or server scans? Need a PowerShell script to be added to an allow list as it’s approved to run on your systems? We are here to help and ensure your success!

Example Detections

Here are some examples of the frequently seen detections across our customers that you might see once you get started. Keep in mind, detections vary based on the integrations that are sending logs:

• Service Execution with Lateral Movement Tools
• 500GB+ Outbound Connection via Generic Network Protocol
• Clearing of Windows Event Logs
• Pass the Hash Behavior
• Impossible Travel
• M365 Email Forwarding Enabled
• Admin Account Added
• Multiple Windows User Accounts Password Reset Attempts
• PsExec Use on Network
• Potentially Malicious PowerShell Command
• Clear-Text Password on Local System

Blumira has hundreds of pre-tuned detections and our Incident Detection Engineering team adds more every week.

Tip: using the In App messaging, as detailed below, is the easiest way to request a specific rule be tuned or allowlisted.

How to Contact Support

Blumira offers several avenues to access our Security Operations and Support team. See our support page for hours and contact information: https://www.blumira.com/support

• By Phone: (877) 870-5876
• By Email: [email protected]
• By Using Case Management: http://blumira.zendesk.com
• In App: Send a message to support from the message area in the Responders’ dashboard. You may include attachments too!

Sign Up For Your Free Account Today

Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required

 

Appendix

Configuration Documentation:

• Deploying Blumira – Blumira Documentation
• Sensor Deployment – How to deploy a sensor in your Blumira environment
• Sensor Creation – How to configure an Ubuntu Server to deploy a sensor
• Logmira GPO Import/Deploy (for Windows) – How to deploy our Logmira GPO policy