Overview
Blumira detects different types of security events, called findings, and provides you with a workflow to respond to and resolve those findings. We generate findings when the logged event data from your environment meet the conditions of Blumira's detection rules. Logged events that do not meet the conditions with matchable evidence do not qualify as a finding or trigger a notification.
Note: Blumira sends finding notifications immediately and according to your users' notification settings. Ensure that your users are able to receive notifications from Blumira to respond to findings in an appropriate timeframe.
Findings categories
The following table describes the different Blumira findings categories and how you can act on them:
Category | Description | Priority Level(s) |
Suspect |
Items that cannot be verified as being a threat due to lack of information surrounding the event. Suspect events require further investigation. We may request additional information via workflow questions within Blumira. Example suspect findings:
|
P1: Respond immediately. |
P2: Respond within the next day. |
||
P3: Respond within the next few business days unless notified otherwise. |
||
Threat |
An event that we determined, with a high level of confidence, poses an immediate and real threat to the security of data or resources. We will present steps to mitigate or remediate the threat to you via workflow questions in the app. Example threat findings:
Important: Multiples of any finding, especially in the P1-P2 range, should be considered as a higher priority threat when combined.
|
P1: Respond immediately. |
P2: Respond within the next day. |
||
P3: Respond within the next few business days unless notified otherwise. Lower-priority alerts with the potential for malicious activities, but no further action has been performed or exploits identified. |
||
Risk |
Security events that we determined to be a risk to any organization. Because different organizations have different risk thresholds that rely on a large variety of situations, configurations, and technical controls, Blumira does not assign a risk severity to these findings. Example risk findings:
|
Risks have equal priority. Respond according to your organization's assessment of the risk. |
Operational |
Items that pertain to day-to-day operations. They are not necessarily security related, but Blumira detected them in our logs. Example operational findings:
|
P3: Respond within the next few business days unless notified otherwise. |
Detection filters in findings
In some scenarios, activity that would normally generate a finding includes safe sources that you want to allow and not see findings for. For example, when an employee has recently relocated or is working internationally, or when a pen tester is temporarily accessing your systems, receiving and resolving certain findings about their activity could be unnecessary.
If you have Blumira’s Advanced edition, you can create detection rule filters to exclude specific IP addresses, users, and other values from a detection rule.
Reference: Learn how to set up detection filters in Using detection filters in Advanced edition.