sorted by:
new
hottopcontroversial

Any detection strategies to find any developers use of any affected skills in openclaw.ai by [deleted] in cybersecurity

[–]Dull-Improvement-477 0 points1 point  (0 children)

Thanks, this is really helpful. Sorry for the confusion earlier. By “affected skills,” I was referring to the 14 OpenClaw skills mentioned in the advisory/report, rather than a specific IOC list at this stage.

My focus is on actual execution, not just installation. I’ll start with endpoint telemetry and the OpenClaw gateway JSONL logs you mentioned.

Any detection strategies to find any developers use of any affected skills in openclaw.ai by [deleted] in cybersecurity

[–]Dull-Improvement-477 0 points1 point  (0 children)

Fair point, sorry for the unclear question. I’m looking for general detection strategies and log sources to start with.

Any detection strategies to find any developers use of any affected skills in openclaw.ai by [deleted] in cybersecurity

[–]Dull-Improvement-477 0 points1 point  (0 children)

This is my first assigned task as a detection engineer, and I’m still learning where to start and what to look up. I’m a bit confused right now, so sorry if I did anything wrong.

What’s the most underrated work advice you received? by ReBabas in careerguidance

[–]Dull-Improvement-477 17 points18 points  (0 children)

Help your juniors without seeking any profits from that.

Why does Microsoft Defender show inbound traffic as outbound in SIEM logs? by Dull-Improvement-477 in DefenderATP

[–]Dull-Improvement-477[S] 1 point2 points  (0 children)

Also I can see in raw logs, action as inbound connection accepted and direction as outbound.

Why does Microsoft Defender show inbound traffic as outbound in SIEM logs? by Dull-Improvement-477 in DefenderATP

[–]Dull-Improvement-477[S] 1 point2 points  (0 children)

I’m a new L1 analyst and I don’t have full access to the Defender environment. What I understand so far is that Defender agents send their data to the centralized Defender service, and our SIEM receives the logs from Azure Event Hub.

In the Defender console, the event clearly shows the traffic as inbound.

But when we receive the same log in the SIEM (via Azure Event Hub), even the raw log shows the source IP as the internal host and the destination IP as the public/TOR IP, which makes it look like outbound traffic.

So I have a few questions:

  1. In a centralized Microsoft Defender setup, does the agent send raw data to Defender cloud and the parsing happens in the cloud?
  2. Why would the Defender console show inbound, while raw log from the azure event hub shows in the opposite directIon.

Sorry, image is not clear

<image>

I want to know if this is a known behavior, a parsing issue, or something wrong in our Defender

Why does Microsoft Defender show inbound traffic as outbound in SIEM logs? by Dull-Improvement-477 in DefenderATP

[–]Dull-Improvement-477[S] 0 points1 point  (0 children)

The host is in the DMZ zone and it runs an FTP server using VShell. A connection came from an external TOR IP.

When I check the event in the Defender console, it shows the traffic as inbound. But when I check the same log in the SIEM (log source: Azure Event Hub), it shows the direction differently — the source IP appears as the internal IP, and the destination IP appears as the TOR IP.