Blumira detects different types of security events, called findings, and provides you with a workflow to respond to and resolve those findings. We generate findings when the logged event data from your environment meet the conditions of Blumira's detection rules. Logged events that do not meet the rule's conditions with matchable evidence do not trigger a finding.
Note: Blumira sends finding notifications immediately and according to your users' notification settings. Ensure that your users are able to receive notifications from Blumira to respond to findings in an appropriate timeframe.
Responding to and resolving findings
Assigning a responder
You can assign a finding to yourself or your teammates by selecting a person or multiple people in the Assigned responders box. Alternatively, you can click Assign to Me to take responsibility for the finding.
Note: The finding must be assigned before users can answer the workflow questions, and the assignment triggers notifications according to each user's notification preferences.
If you do not see a user in the list for assignment, ensure that the user has an account in your organization (Settings > Users) and that they have the Responder or Manager role.
Answering workflow questions
Each finding includes a workflow that consists of several questions to help you respond to the finding. Review the matched evidence (Details > Matched Evidence) within the finding for data to help you investigate. You can also run queries in Report Builder for additional data analysis.
Answers to each workflow question are visible in the finding even after the finding has been resolved.
Important: Answers cannot be changed after you select them in a workflow. See Resolving findings for options to close a finding even if you cannot finish the workflow.
Commenting on findings
Use the Notes section in a finding to add comments for internal team communication purposes or to reach out to Blumira Support. You can add as many comments as you need to, even after the finding is resolved, and the history of comments appears below the Analysis for the finding.
Note: Adding a comment to a finding triggers notifications according to each user's notification preferences.
To comment on a finding:
- On the finding's detail page, click Add note.
- In the text editing box, type your comments.
- (Optional) Add a file attachment to the note:
- Click Upload in the Attachments section, then click Acknowledge in the confirmation window that appears.
- In the Attach Files window, select or drop in a file from your computer.
- Click Upload.
- Click Save to add the internal note without sharing it with Blumira Support, or click Add note & send to Blumira support if you need help with the finding.
Adding detection filters
In some scenarios, events that would normally generate a finding include safe sources that you want to allow and not see findings for. For example, when an employee has recently relocated or is working internationally, receiving and resolving certain findings about their activity could be unnecessary.
With Blumira's detection rule filters, you can exclude specific IP addresses, users, and other values from a detection rule.
Reference: Learn how to set up detection filters in Using detection filters.
Completing a finding's workflow leads to a resolution that fits one of these resolution types:
- False positive
- No action needed
- Risk accepted
If you need to resolve a single finding or a batch of findings with the same resolution type, you can use the bulk-select feature on the Findings table to skip the workflow and immediately close the finding(s).
To bulk-select and resolve findings:
- Navigate to Reporting > Findings.
- Scroll or search to locate the finding(s) that you want to resolve.
Click the check box next to the finding(s).
Above the table, click Resolve selected as.
From the menu that appears, select the appropriate resolution type for the finding(s).
In the Resolution Notes box, type a custom resolution note about the resolution you selected.
Tip: View custom resolution notes on the finding's detail screen under Resolution Notes. These notes cannot be edited after saving.
Findings categories and priority levels
All findings are assigned a priority level, which indicates the urgency or severity of the event.
Important: Multiples of any finding, especially in the P1-P2 range, should be considered as a higher priority threat when combined.
Blumira's priority levels include:
P1: Respond immediately. These events are malicious and require immediate action to fix a weakness or actual exploit of the network or device. At this level, vulnerabilities are being exploited with a severe level or widespread level of damage or disruption of critical infrastructure assets.
P2: Respond within the next day. These events are malicious by posing a significant security risk or involving an active attack without a foothold. At this level, there are attempts to exploit known vulnerabilities or there is the potential for exploitation, and damage is high.
P3: Respond within the next few business days unless notified otherwise. Lower-priority alerts with the potential for malicious activities, but no further action has been performed or exploits identified.
This table describes the different Blumira findings categories and provides examples for each:
Items that cannot be verified as being a threat due to lack of information surrounding the event. Suspect events require further investigation. We may request additional information via workflow questions within Blumira.
Example suspect findings:
- Suspicious Powershell Command
- Suspected Web Shell Interaction
- Microsoft 365 - Suspicious Inbox Rule Creation
An event that we determined, with a high level of confidence, poses an immediate and real threat to the security of data or resources. We will present steps to mitigate or remediate the threat to you via workflow questions in the app.
Example threat findings:
- Password Spraying Detected
- Dump LSASS.exe Memory using ProcDump
- Suspected Malicious Macro File
- SSH Connections from Public IP
Security events that are a risk to any organization.
Note: Only P3 is used for risks because different organizations have different risk thresholds that rely on a large variety of situations, configurations, and technical controls. Respond according to your organization's assessment of the risk.
Example risk findings:
- Disabling of Multi-Factor Authentication on Azure AD User
- Modification of Office 365 Group
- Microsoft 365 Mass Download
Items that pertain to day-to-day operations. They are not necessarily security-related, but Blumira detected them in our logs.
Example operational findings:
- Microsoft 365 Exchange Domain Added
- FTP Connection from Public IP
- Okta log failure