Overview
When an integration fails or a detection rule triggers a finding, Blumira can send your team notifications (Email, Voice, SMS text) so that your team can take action. You can also receive notifications when a responder is assigned to a finding or a new comment is added as a note on a finding. Notifications can be enabled or disabled according to priority and type.
Ensure that your organization's users can receive notifications from Blumira to respond to findings or integration health issues in an appropriate timeframe. (See About Blumira findings for recommended response times.)
Editing notification settings
Notification settings are managed at the user level and cannot be specified per organization. This means editing notification settings for a user impacts all of the Blumira accounts the user can access.
Users can view and edit their personal settings by clicking Notification Settings (the bell icon) at the top of the screen.
As an Administrator or Manager, you can also configure which notifications your Blumira users receive by editing their notification settings.
Note: Free SIEM edition includes email notifications only, so users with access to only free accounts cannot edit the settings for voice or text notifications.
To edit a user's notification settings, do the following:
- Navigate to Settings > Users.
- Click Edit (pencil icon) in the row with the user's name.
- In the Edit user window, click Edit User Notifications.
- Verify that the correct information is provided for the user:
- Voice number
- Text number
- Email address
- Select the relevant check boxes to turn on Voice, Text, or Email notifications per type.
Tip: Blumira sends voice and text alerts from (313) 349-2586. Save the number as a safe caller/sender in your device so that alerts are not marked as spam. - Select or deselect these options:
- Email me on every new finding comment.
- Email me when a responder takes initial ownership of a finding.
- Click Save.
About system notifications for Cloud Connector and sensor health
Organizations using Blumira sensors or Cloud Connectors for logging can choose to receive alerts related to their integrations' health. These notifications help you monitor and respond as soon as possible when errors occur.
Cloud Connector notifications
The following Cloud Connector health notification options are available:
Option Name | Related Scenarios |
Cloud Connector errors and recoveries |
|
Cloud Connector persistent errors | A connector that previously entered an error state remains in error for at least 24 hours. |
Cloud Connector failure to complete initialization | A newly added connector is stuck initializing for at least 24 hours and cannot establish a connection. |
Note: We recommend removing a Cloud Connector if it has entered an error state or is stuck initializing. Replace it by adding a new connector and ensuring all integration requirements are met. If you instead update the configuration for the existing connector, you may notice an error message continue to appear for several minutes until the connector's next health check, which occurs about every 5 to 10 minutes.
Sensor notifications
The following sensor health notifications are available:
Option Name | Related Scenarios |
---|---|
Sensor goes online or offline | A sensor has gone offline and when it comes back online (usually every 4 hours). |
Sensor resources are low | The storage resources available to the sensor are too low for it to perform. |
Sensor stopped sending logs | A sensor's log collection rate suddenly sharply decreases (usually every 2 hours). |
About Blumira finding emails
The emails Blumira sends for each finding contain the following content:
-
A parsable subject line formatted according to this convention: Finding_Type | Finding_Priority | Finding_Name @ Company_Name.
Example: Suspect | P2 | Indicator: Microsoft 365 - Creation of forwarding/redirect rule @ Acme Security -
The body of the email includes the timestamp of when the finding was created, along with the analysis for the finding, and a Learn More button that links directly to the finding's detail page (requires login).