Summary
Last month, we delivered our fastest and easiest way to experience the best of our XDR Platform Edition in a 30-day trial. Plus, we added new cloud integrations for Microsoft GCC High and Google Cloud Platform.
Feature and Platform Updates
-
In-App XDR Trials: Organizations on Blumira’s Free SIEM Edition can now start a free trial of XDR Platform Edition directly in the app to immediately begin seeing the enhanced security benefits of XDR. Within minutes, you can experience the simplicity of deploying Blumira Agent for endpoint visibility and automated response and level up your security for the duration of the trial with 24/7 Security Operations support and broad detection coverage with additional Cloud Connectors.
-
New Cloud Connectors:
-
Microsoft GCC High: The Microsoft 365 Cloud Connector integration now supports logging and detections for GCC High tenants. This new integration is available to all Blumira editions.
-
Google Cloud Platform: This new cloud integration currently supports ingestion of GCP Audit logs. We will add parsing and detections in a future release.
-
Carbon Black Cloud Endpoint Standard: This cloud integration includes API and parsing updates and will replace the original sensor-based integration, which relies on an outdated API that is being retired by Carbon Black in July 2024.
-
-
Detection Rule Management: Free SIEM Edition users can now edit the default setting (enabled or disabled) for the real-time detection rules available to their organizations.
Detection Updates
Log Type | Detection Rule Name | Details |
---|---|---|
Blumira Agent macOS Endpoint Logs | NEW - macOS: Suspicious Plutil Activity | This new P3 detection rule alerts when the plutil utility runs on a Mac device. Threat actors have been observed leveraging plutil to modify .plist files in an attempt to modify application behavior, redirect to malicious applications, and evade defensive measures. |
Google Workspace | NEW - Google Workspace: Domain Data Export Initiated | This new P2 detection rule alerts when a user initiates a domain data export, which can be a normal business operation to migrate to another Workspace tenant or cloud service, but some threat actors also use this method to exfiltrate data. |
Microsoft365 Azure AD | NEW - Microsoft 365: Hidden Privileged Role Assignment | This new P2 detection rule alerts when a user assigns another user to one of the following privileged roles in Entra or Microsoft 365: Directory Synchronization Accounts Partner Tier 1 Support Partner Tier 2 Support These very powerful and purposefully hard-to-find roles are not typically used; even Microsoft suggests not using these roles, which makes this assignment highly suspicious. |
Mimecast | NEW - Mimecast: User Released a Phishing Message from Quarantine | This new P3 detection rule alerts when a user successfully releases a message categorized as phishing from Mimecast. |
Multi-Source | NEW - JavaScript Executed From Unusual Directory | This new P2 detection rule alerts when a user executes a JavaScript file from an unusual location, such as User or Public User directory folders (Downloads, Desktop, etc.). Some threat actors, such as SocGholish, use this method to establish command and control access. |
Multi-Source | NEW - Remote Access Tool: RustDesk | This new P3 detection rule alerts when a RustDesk process is observed on a device. RustDesk is a free and open source remote access tool used to remotely manage and support endpoints, but it has also been used by threat actors to establish remote connections to victim endpoints. |
Azure Signin | Azure AD: Anomalous Agent Sign-In Activity | This existing detection’s evidence now includes action_details and access_granted to help users investigate the activity. |
Microsoft365 Azure AD | Microsoft 365: Impossible Travel AAD Login | This existing detection’s evidence now includes agent information to help users investigate the activity. |
SonicWall Traffic | SonicWall: Login Failure | This existing detection’s analysis and evidence now include additional details to help users investigate the activity. |
Bug Fixes and Improvements
We released an improvement to reduce the frequency of notifications sent when an organization exceeds its Blumira Agent limit.
February Highlights
In case you missed the February updates, you can find and review those notes here.