Risk

Items that Blumira has determined are a risk to any organization. All organizations have different risk thresholds that rely on a large variety of situations, configurations, and technical controls. Due to the wide range of thresholds, Blumira will not assign a risk severity to these findings.

Even the examples shown below in some environments would be definite threats, while others would be considered risks that are a part of a longer term security architecture fix. Risk Findings are always Priority 3 at this point.

Examples:

• RDP Connection from Public IP
• Allowed Outbound or Inbound Evasive/Malicious Encrypted-Tunnel Software

Suspect

Items that can not be verified as being a threat due to lack of information surrounding the event. Suspect events require further investigation or an additional piece of information from the customer to determine whether there should be an escalation to Threat. The additional piece(s) of information may be requested via workflow questions within Blumira. A suspect may also be escalated to a threat based on Blumira’s professional judgment and analysis.

1. Priority 1 – Respond Immediately.
2. Priority 2 – Respond within the next day.
3. Priority 3 – Respond within the next few business days unless notified otherwise.

Examples:

• Potentially Malicious Macro Detected

Threat

An event is classified as a threat when an event that poses an immediate and real threat to the security of data or resources has been detected with a very high level of confidence. Steps to mitigate or remediate a threat will be presented to the customer via workflow questions in the portal.

Threats are categorized into 3 different priorities when sent to Blumira Responders:

1. Priority 1 – Respond Immediately. Critical threats that will be a definite security incident. These events are malicious in nature and require immediate action to fix a weakness or actual exploit of the network or device. At this level, vulnerabilities are being exploited with a sever level or widespread level of damage or disruption of critical infrastructure assets.
2. Priority 2 – Respond within the next day. High priority threats that require immediate attention. These events are malicious in nature by posing a significant security risk or involving an active attack without foothold. At this level, there are attempts at exploiting know vulnerabilities or the potential for exploitation and damage is high.
3. Priority 3 – Respond within the next few business days unless notified otherwise. Lower priority alerts with the potential for malicious activities, but no further action has been performed or exploits identified.

Examples:

• Password Spraying Detected
• Command Shell Executed from Application
• Potentially Threatening Powershell Detected

Operational

Items that pertain to day to day operations. Not necessarily security related, but Blumira is ingesting the logs anyways! Operational Findings are always Priority 3 at this point.

Examples:

• High Availability Failover
• Disk Capacity
• CPU Spikes
• License Expiration Warnings
• System Notifications
• An event related to the workings specifically of the Blumira platform.

Examples:

• Blumira Sensor is Down
• Significant Log Decrease from Device

Get a Free Cloud SIEM Trial

Try out Blumira’s automated detection & response platform for free and deploy a cloud SIEM in hours.