About Blumira findings – Blumira Security

Overview

Blumira detects different types of security events, called findings, and provides you with a workflow to respond to and resolve those findings. We generate findings when the logged event data from your environment meet the conditions of Blumira's detection rules. Logged events that do not meet the conditions with matchable evidence do not qualify as a finding or trigger a notification.

Note: Blumira sends finding notifications immediately and according to your users' notification settings. Ensure that your users are able to receive notifications from Blumira to respond to findings within an appropriate timeframe.

Types of findings

The following table describes the different types of Blumira findings and how you can act on them:

Type	Description	Priority Level(s)
Suspect	Items that cannot be verified as being a threat due to lack of information surrounding the event. Suspect events require further investigation or additional information from you to determine whether to escalate them to a threat finding. We may request additional information via workflow questions within Blumira. We may also escalate suspect to a threat based on our professional analysis. Example finding: Potentially Malicious Macro Detected	P1: Respond immediately. P2: Respond within the next day. P3: Respond within the next few business days unless notified otherwise.
Threat	An event that we determined, with a high level of confidence, poses an immediate and real threat to the security of data or resources. We will present steps to mitigate or remediate the threat to you via workflow questions in the app. Example findings: Password Spraying Detected Command Shell Executed from Application Potentially Threatening Powershell Detected	P1: Respond immediately. These events are malicious in nature and require immediate action to fix a weakness or actual exploit of the network or device. At this level, vulnerabilities are being exploited with a severe level or widespread level of damage or disruption of critical infrastructure assets. P2: Respond within the next day. These events are malicious in nature by posing a significant security risk or involving an active attack without foothold. At this level, there are attempts at exploiting know vulnerabilities or the potential for exploitation, and damage is high. P3: Respond within the next few business days unless notified otherwise. Lower-priority alerts with the potential for malicious activities, but no further action has been performed or exploits identified.
Risk	Security events that we determined to be a risk to any organization. Because different organizations have different risk thresholds that rely on a large variety of situations, configurations, and technical controls, Blumira does not assign a risk severity to these findings. Example findings: RDP Connection from Public IP Allowed Outbound or Inbound Evasive/Malicious Encrypted-Tunnel Software	Risks have equal priority. Respond according to your organization's assessment of the risk.
Operational	Items that pertain to day-to-day operations. They are not necessarily security related, but Blumira detected them in our logs. Example findings: High Availability Failover Disk Capacity CPU Spikes License Expiration Warnings System Notifications An event related to the workings specifically of the Blumira platform.	P3: Respond within the next few business days unless notified otherwise.
System Notification	Examples: Blumira Sensor is Down Significant Log Decrease from Device	P3: Respond within the next few business days unless notified otherwise.