1. Blumira Support
  2. Using Blumira
  3. Findings & Notifications

Quick Links

About Blumira findings

Overview

Blumira detects different types of security events, called findings, and provides you with a workflow to respond to and resolve those findings. We generate findings when the logged event data from your environment meet the conditions of Blumira's detection rules. Logged events that do not meet the rule's conditions with matchable evidence do not trigger a finding.

Note: Blumira sends finding notifications immediately and according to your users' notification settings. Ensure that your users can receive notifications from Blumira to respond to findings in an appropriate timeframe.

Responding to and resolving findings

Assigning a responder

You can assign a finding to yourself or your teammates by selecting a person or multiple people in the "Assigned responders" box. Alternatively, you can click "Assign to Me" to take responsibility for the finding.

Note: The finding must be assigned before users can answer the workflow questions, and the assignment triggers notifications according to each user's notification preferences.

Screenshot_2023-02-27_at_2.27.56_PM.png

If you do not see a user in the list for assignment, ensure that the user has an account in your organization (Settings > Users) and that they have the Responder or Manager role.

Answering workflow questions

Each finding includes a workflow with several questions to help you respond to the finding. Review the matched evidence (Details > Matched Evidence) within the finding for data to help you investigate. You can also run queries in Report Builder for additional data analysis.

Answers to each workflow question are visible in the finding even after the finding has been resolved.

Important: Answers cannot be changed after you select them in a workflow. See Resolving findings for options to close a finding even if you cannot finish the workflow.


Screenshot_2023-02-27_at_3.28.46_PM.png

Commenting on findings

Use the Notes section in a finding to add comments for internal team communication purposes or to reach out to Blumira Support. You can add as many comments as you need to, even after the finding is resolved, and the history of comments appears below the Analysis for the finding.

Note: Adding a comment to a finding triggers notifications according to each user's notification preferences.

To comment on a finding:

  1. On the finding's detail page, click Add note.
  2. In the text editing box, type your comments.
  3. (Optional) Add a file attachment to the note:
    1. Click Upload in the Attachments section, then click Acknowledge in the confirmation window that appears.

      Screenshot_2023-02-27_at_2.53.49_PM.png

    2. In the Attach Files window, select or drop in a file from your computer.
    3. Click Upload.
  4. Click Save to add the internal note without sharing it with Blumira Support, or click Add note & send to Blumira support if you need help with the finding.

Adding detection filters

In some scenarios, events that would normally generate a finding include safe sources that you want to allow and not see findings for. For example, when an employee has recently relocated or is working internationally, receiving and resolving certain findings about their activity could be unnecessary.

With Blumira's detection rule filters, you can exclude specific IP addresses, users, and other values from a detection rule.

Reference: Learn how to set up detection filters in Using detection filters.

Resolving findings

Completing a finding's workflow leads to a resolution that fits one of these resolution types:

Type When to use
Valid when conditions were valid and remediation was completed
False positive

when finding details do not reflect any reason to take action or were inaccurate
No action needed

when you are aware of this behavior and there is no risk associated with allowing it to occur
Risk accepted when you understand allowing this continued behavior is an accepted risk for your organization

 

If you need to resolve a single finding or a batch of findings with the same resolution type, you can use the bulk-select feature on the Findings table to skip the workflow and immediately close the finding(s).

Video Tutorial: Resolving Multiple Findings at Once

To bulk-select and resolve findings:

  1. Navigate to Reporting > Findings.
  2. Scroll or search to locate the finding(s) that you want to resolve.

  3. Click the check box next to the finding(s).

  4. Above the table, click Resolve selected as.

  5. From the menu that appears, select the appropriate resolution type for the finding(s).

  6. In the Resolution Notes box, type a custom resolution note about the resolution you selected.
    Tip: View custom resolution notes on the finding's detail screen under Resolution Notes. These notes cannot be edited after saving.

  7. Click Save.

Findings categories and priority levels

All findings are assigned a priority level, which indicates the urgency or severity of the event.

Important: Multiples of any finding, especially in the P1-P2 range, should be considered as a higher priority threat when combined.

Blumira's priority levels include:

  • P1: Respond immediately. These events are malicious and require immediate action to fix a weakness or actual exploit of the network or device. At this level, vulnerabilities are being exploited with a severe level or widespread level of damage or disruption of critical infrastructure assets.

  • P2: Respond within the next day. These events are malicious by posing a significant security risk or involving an active attack without a foothold. At this level, there are attempts to exploit known vulnerabilities or there is the potential for exploitation, and damage is high.

  • P3: Respond within the next few business days unless notified otherwise. Lower-priority alerts with the potential for malicious activities, but no further action has been performed or exploits identified.

This table describes the different Blumira findings categories and provides examples for each:

Category Description
Suspect

Items that cannot be verified as being a threat due to lack of information surrounding the event. Suspect events require further investigation. We may request additional information via workflow questions within Blumira.

Example suspect findings:

  • PowerShell: Encoded Command Execution
  • Suspected Web Shell Interaction
  • Microsoft 365 - Suspicious Inbox Rule Creation
Threat

An event that we determined, with a high level of confidence, poses an immediate and real threat to the security of data or resources. We will present steps to mitigate or remediate the threat to you via workflow questions in the app.

Example threat findings:

  • Remote Desktop Server Password Spray
  • Dump LSASS.exe Memory using ProcDump
  • Mimikatz File Creation Artifacts
  • Autoit Downloaded via Command Line
Risk

Security events that are a risk to any organization.

Note: Only P3 is used for risks because different organizations have different risk thresholds that rely on a large variety of situations, configurations, and technical controls. Respond according to your organization's assessment of the risk.

Example risk findings:

  • Disabling of Multi-Factor Authentication on Azure AD User
  • Modification of Office 365 Group
  • Microsoft 365 Mass Download
  • SSH Connections from Public IP
  • FTP Connection from Public IP
  • macOS: UnSafe File Permissions - Chmod 777
Operational

Items that pertain to day-to-day operations. They are not necessarily security-related, but Blumira detected them in our logs.

Example operational findings:

  • Microsoft 365 Exchange Domain Added
  • Veeam Backup Error
  • Okta log failure
  • SNMPv1 Connection Failures