Share on:


Last month, we delivered our fastest and easiest way to experience the best of our XDR Platform Edition in a 30-day trial. Plus, we added new cloud integrations for Microsoft GCC High and Google Cloud Platform.

Feature and Platform Updates

  • In-App XDR Trials: Organizations on Blumira’s Free SIEM Edition can now start a free trial of XDR Platform Edition directly in the app to immediately begin seeing the enhanced security benefits of XDR. Within minutes, you can experience the simplicity of deploying Blumira Agent for endpoint visibility and automated response and level up your security for the duration of the trial with 24/7 Security Operations support and broad detection coverage with additional Cloud Connectors.

  • New Cloud Connectors:

    • Microsoft GCC High: The Microsoft 365 Cloud Connector integration now supports logging and detections for GCC High tenants. This new integration is available to all Blumira editions.

    • Google Cloud Platform: This new cloud integration currently supports ingestion of GCP Audit logs. We will add parsing and detections in a future release.

    • Carbon Black Cloud Endpoint Standard: This cloud integration includes API and parsing updates and will replace the original sensor-based integration, which relies on an outdated API that is being retired by Carbon Black in July 2024.

  • Detection Rule Management: Free SIEM Edition users can now edit the default setting (enabled or disabled) for the real-time detection rules available to their organizations.

Detection Updates

Log TypeDetection Rule NameDetails
Blumira Agent macOS Endpoint LogsNEW - macOS: Suspicious Plutil ActivityThis new P3 detection rule alerts when the plutil utility runs on a Mac device. Threat actors have been observed leveraging plutil to modify .plist files in an attempt to modify application behavior, redirect to malicious applications, and evade defensive measures.
Google WorkspaceNEW - Google Workspace: Domain Data Export InitiatedThis new P2 detection rule alerts when a user initiates a domain data export, which can be a normal business operation to migrate to another Workspace tenant or cloud service, but some threat actors also use this method to exfiltrate data.
Microsoft365 Azure ADNEW - Microsoft 365: Hidden Privileged Role AssignmentThis new P2 detection rule alerts when a user assigns another user to one of the following privileged roles in Entra or Microsoft 365:

Directory Synchronization Accounts

Partner Tier 1 Support

Partner Tier 2 Support

These very powerful and purposefully hard-to-find roles are not typically used; even Microsoft suggests not using these roles, which makes this assignment highly suspicious.
MimecastNEW - Mimecast: User Released a Phishing Message from QuarantineThis new P3 detection rule alerts when a user successfully releases a message categorized as phishing from Mimecast.
Multi-SourceNEW - JavaScript Executed From Unusual DirectoryThis new P2 detection rule alerts when a user executes a JavaScript file from an unusual location, such as User or Public User directory folders (Downloads, Desktop, etc.). Some threat actors, such as SocGholish, use this method to establish command and control access.
Multi-SourceNEW - Remote Access Tool: RustDeskThis new P3 detection rule alerts when a RustDesk process is observed on a device. RustDesk is a free and open source remote access tool used to remotely manage and support endpoints, but it has also been used by threat actors to establish remote connections to victim endpoints.
Azure SigninAzure AD: Anomalous Agent Sign-In ActivityThis existing detection’s evidence now includes action_details and access_granted to help users investigate the activity.
Microsoft365 Azure ADMicrosoft 365: Impossible Travel AAD LoginThis existing detection’s evidence now includes agent information to help users investigate the activity.
SonicWall TrafficSonicWall: Login FailureThis existing detection’s analysis and evidence now include additional details to help users investigate the activity.

Bug Fixes and Improvements

We released an improvement to reduce the frequency of notifications sent when an organization exceeds its Blumira Agent limit.

February Highlights

In case you missed the February updates, you can find and review those notes here.

Security news and stories right to your inbox!