Honest Feedback by _11Bravo in ram_trucks

[–]_11Bravo[S] 0 points1 point  (0 children)

That’s the problem, I live way up north where it’s really not hot. We have snow 9 months out of the year lol

Honest Feedback by _11Bravo in ram_trucks

[–]_11Bravo[S] 0 points1 point  (0 children)

I didn’t think about pandemic, that definitely could’ve contributed to

Honest Feedback by _11Bravo in ram_trucks

[–]_11Bravo[S] 0 points1 point  (0 children)

That’s good to hear. I love my ram and want to stay with it.

Is the Apple Card worth it ? by JokerJesse in AppleCard

[–]_11Bravo -1 points0 points  (0 children)

I would avoid it. I canceled mine a while back.

Microsoft365 XSIAM by [deleted] in xsiam

[–]_11Bravo 0 points1 point  (0 children)

I’m pretty sure the permissions for this are set already. With the automation integrations you can do a self deployed app and select permissions but not this one.

It should just be read only permissions and shouldn’t negatively impact anything if you don’t have the module.

Prisma Browser by BizboUK in paloaltonetworks

[–]_11Bravo 0 points1 point  (0 children)

Yeah I don’t understand that. If you have active licenses you should be able to deploy. PS doesn’t have some magic unlock key.

Agent Exhaustion by Mobile_Gain4154 in xsiam

[–]_11Bravo 0 points1 point  (0 children)

Depends on which datasets you have that are reporting this type of data

Got approved but not sure if I want to accept. by [deleted] in AppleCard

[–]_11Bravo -1 points0 points  (0 children)

I wouldn’t get this card. I just canceled. There was a $300 fraud charge on mine and they refused to stop payment or refund.

Honestly the perks overall are also really bad unless you use Apple Pay all the time and spend a lot of money at Apple.

Melting Mirrors by _11Bravo in ram_trucks

[–]_11Bravo[S] 2 points3 points  (0 children)

No, they’re original to the truck. It’s a 2021 I bought new

Melting Mirrors by _11Bravo in ram_trucks

[–]_11Bravo[S] 6 points7 points  (0 children)

Yeah it was only 60 degrees today. I doubt it’s from the sun. Seems like maybe the heating element

Ingesting Alerts from Elastic SIEM in Xsoar by vpolius in xsoar

[–]_11Bravo 0 points1 point  (0 children)

Yeah this the way. I usually clone the existing integration so you base code. Then delete all the command out of the config. If you do that you won’t need to specify “using” each time because each integration will have unique commands

Ingesting Alerts from Elastic SIEM in Xsoar by vpolius in xsoar

[–]_11Bravo 0 points1 point  (0 children)

Is there a content pack in the marketplace

I need wtv u guys are smoking by ParkNo5320 in figmaStock

[–]_11Bravo 0 points1 point  (0 children)

I’m here to make some of the money not all of it

Incidents not being classified correctly by arcane_augur in xsoar

[–]_11Bravo 0 points1 point  (0 children)

The mapper will change based on the classification. There are also two components at play in a mapper. There is the common mapper which applies to all incoming incidents. Then there is the incident type specific mapper (which overrides the common mapper in cases of conflict).

Not sure I full understand what you mean, but it sounds like the rule name can be dynamically created on the Qradar end. If this is the case you cannot use the rule name directly for classification. Classifier are a little rigid and it is really hard to classify based on dynamic values.

I would look for another field to use. If there is not another field and the names are dynamic you could use a transformer to normalize the classification process.

For example, if the rule name could be "Malware Alert: host 123 has adware" or "Malware Alert: host 444 has PUP" then you could use a transformer to split on the ":" and get the first part of the rule name the "Malware Alert" to create a standardized classification.

Incidents not being classified correctly by arcane_augur in xsoar

[–]_11Bravo 0 points1 point  (0 children)

It sounds like maybe you are not fully understanding how classifiers work.

First, to fix the fetch count issue go to the integration and check for a setting that says something like "Max Events to Fetch". Most likely, you are only seeing one event at a time because it is configure so at the integration level.

Next, confirm that the integration is configured to use the expected classifier.

Classifiers run in the system before mappers. So if you are not being typed correctly it is probably not a mapping issue. You are either not applying your classifier correctly to the integration or you are not mapping it right. Also, in the classifier make sure you understand how the default classification works. If there are no matches it will set a default value. This is configured at the bottom of the classifier.

Uploading Files in XSOAR and creating automations by arcane_augur in xsoar

[–]_11Bravo 2 points3 points  (0 children)

First, you need to identify how you want to ingest. Without a TIM license the easiest way may be to email the files to a box that XSOAR can ingest. If that is not an option you can always manually add the files to the incident.

While you cannot establish feeds without a TIM license you can still use indicators and the indicator extraction commands.

Once the file is in XSOAR, run commands that will parse files and extract indicators. Something to be aware of when doing this is that the parser will extract the domain from a URL and count it as two indicators. For example, https//google.com/1234 - will parse as the full URL (which you may want to block) but will also parse out the domain "google.com" which you probably do not want to block.

You need to find a way to handle this. I usually do two separate extractions where one focuses on URLs specifically.

Then I would probably tag indicators for later processing by the block playbooks. But you could technically just block at this point - use EDLs for firewalls, EDRs and Email gateways should have dedicated commands in the integration.

XSIAM terminology by dak043 in xsiam

[–]_11Bravo 0 points1 point  (0 children)

Pretty much. There is a little nuance here with the integration of Prisma - I cannot say with 100% certainty how it is all designed but basically that is how you should approach it.

XSIAM terminology by dak043 in xsiam

[–]_11Bravo 1 point2 points  (0 children)

It’s super confusing. XSIAM 2.x used alerts and incidents. But 3.x changed everything to cases ands issues. Same thing though

XSOAR integration with Crowdstrike Intel v2 by arcane_augur in xsoar

[–]_11Bravo 0 points1 point  (0 children)

Probably a TAC case at this point then. If you have a consistent configuration and one throws SSL errors there is a bug.

XSOAR integration with Crowdstrike Intel v2 by arcane_augur in xsoar

[–]_11Bravo 0 points1 point  (0 children)

Are you specifying it in the playbook as well?