← Customer 30003530

#24390 Blumira Product Release Notes: August

Resolved Created Sep 12, 2023, 3:28 PM Resolved Sep 27, 2023, 10:03 PM
System (internal) Sep 12, 2023, 3:28 PM 
Created from Lead: https://artichoke.shield.syncromsp.com/leads/21035079/convert
Check-in (internal) Sep 12, 2023, 3:28 PM 
Blumira Product Release Notes: August
Feature updates, new detections, bug fixes and more.

[embedded image]

Monthly Product Release Notes
August 2023

Hi there,

Our August release highlights include a faster, easier way to configure the AWS Cloud Connector and the addition of four new global reports. We also added six new detection rules and improved four existing detections.

Feature and Platform Updates

-
AWS Cloud Connector: With Blumira’s [AWShim script](https://cxXTS04.na1.hubspotlinks.com/Ctc/LW+113/cxXTS04/VWfbFZ6ZllKrW7LQ7-c3w4n6XW1n-N7353lS1XN44_Dcj3m2ndW95jsWP6lZ3l8N18qbk0DV0VrW7bWWJS3MwFGCW9fZ-G32sQpCTW4m3zXR2JvCDyW5XTkSw4w43dlW2LgpZ72nZPgjW3dFsV_27Ff0WW6lV_R28DprZDW4-mxHS5bnstZW4hq3Ww9jlzjPW2Kgyrp8c23JjVp6jqx65zZRTW27rfN07jVJw9W8ZYGRL9bx58nW4vhM4D3xp_wNV17xXp6N1RCXW4L44_w3gd30hW6ZN3r018-3_pW3L6-jM7XGLvnVB27sl29K1fyW7n_wrP5nLxRrN6SQKQ5-lLm1W82yDC08XmG2-W8Knt414XzyFjW62DY0B8VRsFmVDnr0m6CPspcW2VMddl81QjHvW77MTvy3h9gSRVdMjNs8z2Pj2W94Qc0n7XrpCWf33l8P404) you can save significant time and reduce the complexity of completing the AWS logging configurations.

-

Global Reports: Four new global reports are available in Report Builder:

-

Two new reports help users monitor anonymous access to shared links in OneDrive and Sharepoint:

-
“Microsoft 365 - OneDrive Anonymous Access Activity”

-
“Microsoft 365 - Anonymous Share Link Created”

-
“Microsoft 365 - Domain and Tenant Match” can help in investigating M365 findings when it is hard to tell which tenant the activity is related to by using only the provided tenant_id.

-
“Citrix NetScaler: Executed Commands” is a supplement to the detection we created to identify exploitation of Citrix Netscaler [CVE 2023-3519.](https://cxXTS04.na1.hubspotlinks.com/Ctc/LW+113/cxXTS04/VWfbFZ6ZllKrW7LQ7-c3w4n6XW1n-N7353lS1XN44_DbK5kBVqW7Y9pgv6lZ3nfVKjTnQ6BLhJ2W2Rk_w79ddpD4W4wbYrd3BWT_kW2FT4_58-WbrdW1--VS550jG8LW1XNydG3TxH7SW7-hvdh2lr5ywW7j1wBs7fKFKKW6NVXYP90MPcJW7nWWqL7m0LP9W2hLxN66-q98ZW6DT3_R93h-m-W5fSDT92wx7WJW2vQCw48bwn6hV_lmrQ67sQrXW5V_-xP4jmDTMW2wKh_N2FJPBSW8RKqkG6r867sMl95tjsnWS3W294cSb1JzqZrW85ZDS51_M1lJW6dyJ_G2LBcDPW9k-DH61cJXGPW31vMLQ4XSdMrW8cTzwR8mxrNxW6QVzxN89c6vmN2131skP5DW1W6sDxs85X8LnwW3kGkLk7_Rd9WW5d3znd3ltbvtW5cgwn22tpLQSW5x_M7-7-HDbWW100tvd204cGZW814Wjq56WkK4W3WWjC-4Z1DTKW8qntlw1qMRbzW6rXDPR4zn0fRW5cgvhj3dR6NmW3XV5815t4YPwW801-b918lK8JW2wPlVr1SRqgQW7RGCj86-HRLmf8_gk3v04)

Detection Updates

Log Type	Detection Rule Name	Details
Microsoft Windows	Signed Binary Proxy Execution: Msiexec	The detection rule named “Signed Binary Proxy Execution: Msiexec - Execute Remote MSI file“ was renamed and updated to target [Raspberry Robin](https://cxXTS04.na1.hubspotlinks.com/Ctc/LW+113/cxXTS04/VWfbFZ6ZllKrW7LQ7-c3w4n6XW1n-N7353lS1XN44_Dbq3m2ndW7lCdLW6lZ3nsN3z4B39l9s51W5WL3827wwJTXW5HTfBS53RhCGVbQvqF36VPbcW4340zf61h180W2Ypg0k86dC3fW7Gh6Hv3yL9Y9N1h4fjQ4t6b9W4f5rmB3rgKc-W5r38xX6qvKqyW5nh64W7_pwvJW7qNvR96bJpnMVD1x-y78qWq2W4dphDF6cwkwSW5MjwWL33LCd-N3JggTPBgTQqW7rqGCH8N_JNjW7-bnnW22B-dXW3mtfLK7Xy8-5W78ZRy65N6-TyW8Plhq91hBk9nW5LZNmR1yB42CW5mnzNh2F33pCW7Ysk_G7bH27Tdqhh1K04) activity, specifically remote file execution via signed binary (msiexec).

NEW - Fast Reverse Proxy Process Creation	This new detection identifies activity related to the network proxy tool Fast Reverse Proxy. While this software is not malicious, it is often abused by threat actors to bypass firewalls and exfiltrate data.

NEW - Fast Reverse Proxy Process Creation	This new detection identifies executables running from a public folder. Threat actors often use the Public folder to distribute and run malware on an endpoint due to the relaxed default permissions applied to this directory.
Remote Access Tool: GoToMyPC	The detection was updated to also identify activity related to the tool GoToAssist.

NEW - SharpHound Process Creation	This new detection was created for the BloodHound scanning tool SharpHound. This tool is used to actively scan and enumerate Microsoft Active Directory and prepare it for ingestion into BloodHound.
Microsoft 365	Modification of Microsoft 365 Group	The field device_address has been added to this detection to help clarify which Cloud Connector the matched evidence was generated from. This value is most useful in accounts running more than one Cloud Connector.
Multiple Types
NEW - Telnet Connection from Public IP	This new rule detects when a public IP has connected to a server on your network via Telnet. Telnet enables a user to manage an account or device remotely and can be compromised by an attack via brute force of a weak password, so public access to Telnet should not be allowed unless required.
SSH Connection from Public IP	Detection logic was updated to include more fields in matched evidence that can provide context to responders and allow users to create additional detection filters if needed. The new fields are: client_id, additional_fields, unknown_field, subtype, and type.
Netscaler
NEW - Citrix NetScaler: CVE-2023-3519 Indicators of Compromise	This new detection identifies exploitation of Citrix Netscaler in response to the recently reported [CVE 2023-3519.](https://cxXTS04.na1.hubspotlinks.com/Ctc/LW+113/cxXTS04/VWfbFZ6ZllKrW7LQ7-c3w4n6XW1n-N7353lS1XN44_DbK5kBVqW7Y9pgv6lZ3nPW5YrKqt64hpD9N7yg778MJfggVG56qR3tDCfQN2MZYf9P9w8gV9hFFT61R5XLW85NS8J7bHWsXW4gtwSK3vJvkPW2Pd7Jt9hBK_6N74C-pJKpWQvW9cRy4249mTL9W6vDHS98Bl-z1W2c2xtH8PRkt_W6bVcvb20Vg9qW3-2xvc6Rj3yGW37Cn8j71D40QW7TzFXc230wdKW6dMcZp6G-KxqW5l4DsV8tvh2tW7J0h9k85nwNdW4SlSb66Ml39cN8TWRVTXpkDtW29CMPW60SfbzW1YMG4p7yVwS_W8QLlFP74hFYmW7j-TyV6r9tHQW3vq2yk8_nwL0N3RFxwxw8F4fW6vcNMg3hkg7MMT9R85ycHpyW2F6fmz9kR7BQN53z6yqdFk_XW35SNzm1BFVYDVYlByY3FB0XJMmtWBpsM5V-W1_jcrb2mgWNCW3ywWwG24-d2gW77LD3M39M70VN6XDDnckwKnzW3nKjZ99bNrB2V3KQ5r18MT2NW4MVcy_7dQs9bW3Rh4G29bg_h-f70txgH04)
Also released a new global report - Citrix NetScaler: Executed Commands - to aide in investigations.
Fortigate
NEW - Fortigate Firmware Available	This new operational detection indicates when a Fortigate endpoint has an available firmware upgrade.

Bug Fixes and Improvements

- In Findings, we fixed a problem that caused deprecated detection filter values to appear blank, which made it hard to determine which values had been allowlisted in the past.

- In Report Builder, we fixed a problem that was causing an error to appear after adding distinct count to a report, which prevented the ability to run the report using counts.

- Global reports for logins outside of the U.S. have been improved so that they no longer include null data that creates false reports of logins outside of the U.S.

July Highlight

In case you missed it, in July we released a Google Workspace Cloud Connector in beta. For now, this is only available in paid editions, but it is coming soon to Free Edition!

[embedded image](https://cxXTS04.na1.hubspotlinks.com/Ctc/LW+113/cxXTS04/VWfbFZ6ZllKrW7LQ7-c3w4n6XW1n-N7353lS1XN44_Dcj3m2ndW95jsWP6lZ3n7N6hFStCz213FW6QDHmC649XfhN8X2rCJgbpyXW2HVY0x5P097qW6ctKYT6StsytW8KXs8t3SXMqBW1qmSf-27CRXpW4ghZ3t26rQgLW2KhdSP7w7G0cW8Ltcf46fRzrBW13hhd05vzjBwW59Blx74r22KVW5tFSL57k0Nd3VJ0b4J6f7BjbW1HXCTj2CMGXpN56wvVtjw29mW1mYBjm8P013RW2dLL3v6pCtXNW1lz4Lv3Fk4JBW4f401w3rJlqpW7lLhpp280z-nW1-1LpV8BC0K1W8MBTRh19XPHvW1MdM0Z337CBcW6mVY0N1yk7_pW7l6j3q4LSXwPW7VlqQ_4Xy3vjVvLL5B4nLHclW5Qrqx-8wSChrVhT5Tw83yp33f6sJMg-04)

Blumira, 206 E Huron St, Suite 106, Ann Arbor, Michigan 48104, United States, +1 877-258-6472

[Unsubscribe](https://hs-4554405.s.hubspotemail.net/hs/manage-preferences/unsubscribe-all?languagePreference=en&d=VnjJp39glfgvW17Xtl_3CbHWSW3T2-wg3zgF8DW3F7y_13JFvq3W41Y8gs4fJfX_MWWjrPd5tPYVNw41d7446hNN6F_XMpDbP6NW7V-lKG79C_rYW90nSTC1PRjpYW7jDJDW4hQcVfVpGq2D67WtZ_W1RDxfR7KGKyw0&v=3&utm_source=hs_email&utm_medium=email&utm_content=273937965&_hsenc=p2ANqtz-_KwvnfchTpF0QjJFR7RpYLbenw0ZUt5vrLv_YHL84Roe2DpFupCFlNNmYdUubpwrqdhxH3DXC1HbmcGxwBfKVs2E82D6Z6_Eyq6NmfGhjdSUscapM&_hsmi=273937965)[Manage preferences](https://hs-4554405.s.hubspotemail.net/hs/manage-preferences/unsubscribe?languagePreference=en&d=VnjJp39glfgvW17Xtl_3CbHWSW3T2-wg3zgF8DW3F7y_13JFvq3W41Y8gs4fJfX_MWWjrPd5tPYVNw41d7446hNN6F_XMpDbP6NW7V-lKG79C_rYW90nSTC1PRjpYW7jDJDW4hQcVfVpGq2D67WtZ_W1RDxfR7KGKyw0&v=3&utm_source=hs_email&utm_medium=email&utm_content=273937965&_hsenc=p2ANqtz-_KwvnfchTpF0QjJFR7RpYLbenw0ZUt5vrLv_YHL84Roe2DpFupCFlNNmYdUubpwrqdhxH3DXC1HbmcGxwBfKVs2E82D6Z6_Eyq6NmfGhjdSUscapM&_hsmi=273937965)

[embedded image]