Blumira Findings
Overview
Findings are Blumira's primary security detection unit — they represent threats, suspicious activity, or policy violations detected across your environment. This skill covers the full finding lifecycle from discovery through resolution.
Key Concepts
Finding Statuses
| Status Code | Label | Description |
|---|---|---|
| 10 | Open | New, unreviewed finding |
| 20 | In Progress | Under investigation |
| 30 | Resolved | Closed with a resolution |
Finding Severity
Findings have severity levels (e.g., LOW, MEDIUM, HIGH, CRITICAL) that indicate the potential impact. Always triage CRITICAL and HIGH findings first.
Resolution Types
When resolving a finding, you must specify a resolution type:
| Resolution Code | Label | Use When |
|---|---|---|
| 10 | Valid | Confirmed real threat, action was taken |
| 20 | Not Applicable | Finding doesn't apply to this environment |
| 30 | False Positive | Detection was incorrect |
API Patterns
List Findings
blumira_findings_list
status.eq=10 # Open findings only
severity.in=HIGH,CRITICAL
order_by=-created # Most recent first
page_size=25
Get Finding Details
blumira_findings_get
finding_id=<UUID>
blumira_findings_details
finding_id=<UUID>
The details endpoint returns enriched data including related context, evidence, and recommended actions.
Resolve a Finding
blumira_findings_resolve
finding_id=<UUID>
resolution_type=10 # Valid
notes="Confirmed brute force attempt. Blocked source IP in firewall."
Assign a Finding
blumira_findings_assign
finding_id=<UUID>
user_id=<UUID>
List Comments
blumira_findings_comments_list
finding_id=<UUID>
Add a Comment
blumira_findings_comments_add
finding_id=<UUID>
comment="Investigating source IP. Checking firewall logs for correlation."
Common Workflows
Triage Open Findings
blumira_findings_listwithstatus.eq=10andorder_by=-severity- Review CRITICAL and HIGH findings first
- For each finding, use
blumira_findings_detailsto get context - Assign to an analyst with
blumira_findings_assign - Add investigation notes with
blumira_findings_comments_add
Investigate a Finding
blumira_findings_getto retrieve the findingblumira_findings_detailsfor enriched context and evidenceblumira_findings_comments_listto review prior investigation notes- Add findings with
blumira_findings_comments_add - Resolve when investigation is complete
Resolve Multiple Findings
blumira_findings_listwith filters matching the batch (e.g., same detection rule)- Review a representative sample to confirm the resolution applies
- Resolve each with
blumira_findings_resolveand appropriate resolution type - Document the rationale in the notes field
Filter by Date Range
blumira_findings_list
created.gt=2025-01-01
created.lt=2025-02-01
status.eq=10
Error Handling
Finding Not Found
Cause: Invalid finding ID or finding not accessible in current org scope
Solution: Verify the finding ID. If using MSP credentials, use blumira_msp_findings_get instead.
Cannot Resolve — Missing Resolution Type
Cause: Resolution type not provided or invalid Solution: Provide a valid resolution type: 10 (Valid), 20 (Not Applicable), or 30 (False Positive).
Cannot Assign — Invalid User
Cause: User ID doesn't exist or isn't a member of the organization
Solution: Use blumira_users_list to get valid user IDs.
Best Practices
- Always triage by severity: CRITICAL → HIGH → MEDIUM → LOW
- Add comments before resolving to document the investigation trail
- Use resolution types accurately — false positive tracking improves detection tuning
- Filter by date range when reviewing historical findings to avoid overwhelming results
- Assign findings to specific analysts for accountability
Related Skills
- API Patterns — Filtering and pagination
- Resolutions — Resolution types in depth
- Users — Finding user IDs for assignment
- MSP — Cross-account finding management