Using Blumira Threat Response

Overview

After successfully installing Blumira Agent on your endpoints or configuring your Microsoft 365 response connector in the app, you can begin using Blumira Threat Response with the EDR and ITDR response actions that are supported by those integration types. To test the response actions, trigger a detection that creates a finding where you can see and use the available response actions.

Using response actions

Video: Watch this Threat Response demo to learn more about the available EDR and ITDR response actions, and how to use them in a Blumira finding.

Configurations that impact Response Actions

Your license can impact the actions you have access to. All editions excluding Free Edition have access to Threat Response; however, Respond Core Edition includes ITDR actions but does not include EDR actions.

If the Response Actions section does not appear on a finding's detail page, the detection rule for that finding does not support response actions. If options appear in a disabled state (grayed out), it is due to one of the following reasons:

• The Microsoft 365 Cloud Connector does not have a threat response connector configured.
• Blumira Agent is not installed on the associated endpoint.
• The action requires a domain controller which is not yet designated.

For effective use of response actions in hybrid Azure environments, ensure that you have Blumira Agent installed on your domain controller and that it is properly identified as a domain controller in the agent device details window. 

Acting on a finding

All Blumira roles that have access to Findings also have access to see and use Response Actions where available. 

To use Response Actions in supported findings, do the following:

1. In Blumira, navigate to Reporting > Findings and locate the newly created finding.
2. Click the finding’s row, and then click View Finding Details.

3. In the Response Actions menu, select the action you want to perform based on the finding.

   Caution: Delete File is a permanent action and files are unrecoverable after running the Delete File response action. Do not click Run until you are certain you need to delete a file from a device. 
4. In the action window that appears, review the details and impact of the chosen response action and then do one of the following:
   • Click Select All to bulk select all results shown in the table.
   • Select the check box next to the specific users or objects you want to take action on.
5. Click Run.

Reviewing history and error messages

To view the status of response actions taken or details of failed actions, do the following:

1. In the Response Actions History table, review the Status column, which indicates if the action is in progress, has completed successfully, or if the action failed.
2. Click More to view details about the selected evidence and the reason if the action failed.

Implications to consider in a hybrid Azure environment

Response actions might not be effective if Blumira Agent is not properly configured and running when you disable and revoke a user’s session in a hybrid Azure environment (i.e., Azure AD and on-premises AD). Consider these important implications:

• Authentication and access:
  • Azure resources: Immediate termination of access to all Azure-based resources and applications.
  • Office 365: Access blocked to email, SharePoint, Teams, and other Microsoft 365 services.
  • On-premises resources: Delayed effect until AD sync occurs (typically within 30 minutes, depending on sync schedule).
  • Active sessions: On-premises active sessions may continue until credential validation is required again.
• Synchronization:
  • Azure AD Connect Sync: Changes propagate based on your sync cycle (typically every 30 minutes).
  • Sync conflicts: The on-premises account may reactivate the cloud account if not also disabled on-premises.
  • Attribute flow: Changes made in Azure may be overwritten by on-premises AD during the next sync cycle.