Overview
Blumira detects various types of security events and collects evidence from those events into an assignable work item known as a finding, providing a workflow to respond to and resolve the finding. We generate findings when the logged event data from your environment meets the conditions of Blumira's detection rules. Logged events that do not meet the rule's conditions with matchable evidence do not trigger a finding.
Note: Blumira sends finding notifications immediately and according to your users' notification settings. Ensure that your users can receive notifications from Blumira to respond to findings in an appropriate timeframe.
Responding to and resolving findings
Reviewing the Analysis and other primary details
All Blumira findings include these standard elements:
- Detection rule details
- Finding's type and priority
- Timestamp of the finding's creation
- The finding's Analysis contains the summary of what happened and the initial set of data detected. All additional matching log data can be found in the evidence table and is not used to update the content of the Analysis section.
Many findings also include the MITRE ATT&CK® ID that is associated with the detection rule. Clicking on the ID's link will take you to the associated ATT&CK knowledge base entry where you can learn more about that tactic or technique.
Assigning a responder
You can assign a finding to yourself or your teammates by selecting a person or multiple people in the "Assigned responders" box. Alternatively, you can click "Assign to Me" to take responsibility for the finding.
If you do not see a user in the list for assignment, ensure that the user has an account in your organization (Settings > Users) and that they have the Responder or Manager role.
Answering workflow questions
The finding must be assigned before users can answer the workflow questions, and assigning a finding triggers notifications according to each user's notification preferences.
Each finding includes a workflow with several questions to help you respond to the finding. Answers to each workflow question are visible in the finding even after the finding has been resolved. Review the Matched Evidence for data to help you investigate. You can also run queries in Report Builder for additional data analysis.
Commenting on findings
Use the Notes section in a finding to add comments for internal team communication purposes or to reach out to Blumira Security Operations for support, and they will help you with the finding. You can add as many comments as needed, even after the finding is resolved, and the history of comments appears below the Analysis for the finding.
Note: Adding a comment to a finding triggers notifications according to each user's notification preferences.
To comment on a finding, do the following:
- On the finding's detail page, click Add note.
- In the text editing box, type your comments.
- (Optional) Add a file attachment to the note:
- Click Upload in the Attachments section, then click Acknowledge in the confirmation window that appears.
- In the Attach Files window, select or drop in a file from your computer.
- Click Upload.
- (Optional) If you want to request help from Blumira Security Operations team, select the checkbox next to Send note to Blumira Security Operations for help with this finding. Doing so will create a support ticket containing your note as the message.
- Click Add note to save it to the finding.
Adding detection filters
In some scenarios, events that would normally generate a finding include safe sources that you want to allow and not see findings for. For example, when an employee has recently relocated or is working internationally, receiving and resolving certain findings about their activity could be unnecessary.
With Blumira's detection rule filters, you can exclude specific IP addresses, users, and other values from a detection rule.
Reference: Learn how to set up detection filters in Using Detection Filters to customize detections.
Reviewing and searching matched log evidence
The ingested logs that match the logic for the detection rule and are supporting evidence for the finding are displayed in the Matched Evidence table. You can customize the column view of the table to include specific data fields rather than including all fields from the log by using the column widget at the top-right corner of the table.
Using the Search box at the top of the table can also help to narrow the table's view to review logs containing a specific entity or value within the matched evidence.
Additionally, if a field's value exceeds the size of the cell, it will appear with an ellipsis at the end, truncating anything beyond six lines of text. You can increase the width of the cell to view the full value by clicking the right-hand border of the column header and dragging the handlebar to the right.
You can further narrow the evidence by adding filters for multiple criteria across multiple columns.
To apply multiple filters, do the following:
- In the top-right corner of the evidence table, click Filters (inverted triangle icon).
-
From the Columns list, select the column that contains the value you want to filter by.
Note: If a column does not appear in the list, filtering is currently not an option for those values due to data transformation limitations. - From the Operator list, select how the value you will filter by relates to your chosen column.
- In the Value box, type the value(s) that you want to filter by.
- (Optional) Click + Add filter to include another filter condition that combines with the previous to further narrow the evidence.
- Click outside of the filter window to close it and view the results.
To remove filters from the evidence table, do one of the following:
- To remove a filter, click the X at the beginning of that filter's row.
- To remove all filters, click Remove all in the bottom-right corner of the filter window.
Exporting evidence
If you would like to export the evidence, so you can review it offline, do the following:
- In the top-right corner of the evidence table, click Export CSV (arrow icon).
- Click Export CSV (all fields).
- If the file does not download to a folder automatically, choose a location and then click Save.
Resolving findings
Resolution types
We recommend reviewing the analysis of every finding and completing the steps in each workflow to reach a conclusion about the validity of the risk or activity. Completing a finding's workflow leads to a resolution that fits one of these resolution types:
| Type | When to use |
| Valid | when conditions were valid and remediation was completed |
| False positive | when finding details do not reflect any reason to take action or were inaccurate |
| No action needed | when you are aware of this behavior and there is no risk associated with allowing it to occur |
| Risk accepted | when you understand allowing this continued behavior is an accepted risk for your organization |
Skipping workflows to resolve
In some cases, you may need to skip the workflow and resolve the finding, or resolve a batch of findings at once. For example, this is useful for MSPs handling findings as tickets in a PSA tool outside of Blumira.
To resolve a finding without answering the workflow, do the following:
- At the top of the finding's detail page, click Open.
- Select a resolution.
- In the Resolution Notes box, type a note to explain the option you selected or why the workflow is not being completed.
- Click Save.
If you need to resolve a batch of findings with the same resolution type, you can use the bulk-select feature on the Findings table to skip the workflow and immediately close all of the findings together.
To bulk-select and resolve findings, do the following:
- Navigate to Reporting > Findings.
- Click the check box next to the findings you want to close.
- Above the table, click Resolve selected as.
- In the menu that appears, select the appropriate resolution type.
- In the Resolution Notes box, type a resolution note about the resolution you selected.
- Click Save.
Findings categories and priority levels
All findings have a priority level indicating the urgency or severity of the event.
Important: Multiples of any finding, especially in the P1-P2 range, should be considered as a higher priority threat when combined.
Blumira's priority levels include the following:
- P1: Respond immediately. These events are malicious and require immediate action to fix a weakness or actual exploit of the network or device. At this level, vulnerabilities are being exploited with a severe level or widespread level of damage or disruption of critical infrastructure assets.
- P2: Respond within the next day. These events are malicious by posing a significant security risk or involving an active attack without a foothold. At this level, there are attempts to exploit known vulnerabilities or there is the potential for exploitation, and damage is high.
- P3: Respond within the next few business days unless notified otherwise. Lower-priority alerts with the potential for malicious activities, but no further action has been performed or exploits identified.
The table below describes the different Blumira findings categories and provides examples for each:
| Category | Description |
| Suspect |
Items that cannot be verified as being a threat due to lack of information surrounding the event. Suspect events require further investigation. We may request additional information via workflow questions within Blumira. Example suspect findings:
|
| Threat |
An event that we determined, with a high level of confidence, poses an immediate and real threat to the security of data or resources. We will present steps to mitigate or remediate the threat to you via workflow questions in the app. Example threat findings:
|
| Risk |
Security events that are a risk to any organization. Note: Only P3 is used for risks because different organizations have different risk thresholds that rely on a large variety of situations, configurations, and technical controls. Respond according to your organization's assessment of the risk. Example risk findings:
|
| Operational |
Items that pertain to day-to-day operations. Note: These are always P3 priority and are not necessarily security-related. Example operational findings:
|