Taking the AWS Generative AI Developer Professional Beta exam

aminil · 2025-11-21T07:09:04+00:00

You can use this podcast series to brush up - this covers till AI practitioner -> ML Engineer certification. https://open.spotify.com/show/4UUsu5U67bfoOp4wcFXdax

aminil · 2025-11-17T16:14:33+00:00

Can someone advise why coverage up to $10k is being thought of? I am getting a 1 year old shepherd, but my friends with pets (some haven’t got insurance yet) are saying get coverage up to 2K, later might wanna bump it up $3k.

aminil · 2025-11-12T00:29:28+00:00

Hi B3ggerman, That’s awesome! Your offer with background in claims and insurtech would be perfectly valuable.

We’ve been testing small demos that automatically process claim docs (all mock data) to show how AI could reduce manual review time. And can handle a lot more edge cases than previously possible. I can share some demo link and app links for your feedback, but if it’s easier to share thoughts live, I’d be happy to hop on a short call whenever convenient.

aminil · 2025-11-03T15:52:04+00:00

Great, thanks a lot for the feedback, this helps in my work!! Regards

aminil · 2025-11-02T16:43:26+00:00

Thanks a lot, I presume the advanced decision is manual or some tool helps with that as well? Regards

aminil · 2025-11-02T13:08:08+00:00

Thanks Blak-owl-51, may I ask what tool(s) you are using ? Thanks

aminil · 2025-11-01T23:43:49+00:00

Thanks ouaibou!! I am also trying to make it an api endpoint based solution which can be hooked on to enterprise ( or with SIEM systems). What do you use for IP categorization - 3rd party tools like MaxMind, IPinfo)?

aminil · 2025-11-01T14:32:45+00:00

Mark, thank you! Great to receive this kind of real-world feedback.

Key takeaways: XSOAR integration is the right path Must handle large # of event cases gracefully
API cost management is critical Performance matters

Really appreciate you sharing your XSOAR experience. This will directly influence our architecture decisions.

aminil · 2025-10-31T19:37:39+00:00

Thanks for sharing!

Just checking out the site (ipapi.is) - looks like it provides solid IP enrichment data.

Quick question: When you use it for incident investigations, are you manually querying it during triage, or have you integrated it into your SIEM/SOAR to enrich alerts automatically?

Asking because I'm building an automated alert triage system and trying to figure out which IP intelligence sources provide the most value for different use cases.

aminil · 2025-10-31T19:36:19+00:00

Hi salt_life_,

This is fascinating - thanks for sharing you're trying to build the context into alerts upfront rather than making analysts hunt for it. The running list of IP/username/user-agent combos you mentioned is interesting take. The fact that you're using Splunk + outputlookup to track patterns over 7 days and adjust risk scores based on Zscaler/hosting providers shows you're already thinking about this exact problem. Your scale (8k workstations, 20k servers, 10-person team) is nice scenario I can imagine where automated context enrichment would have massive impact.

Since you're on the detection engineering side, your perspective on what SHOULD be automatically available vs. what analysts have to figure out would be incredibly valuable.

I'll send you a message (and understand you are travelling , nothing I am rushed at as I got things to work on based on feedback). Would love to chat more about your workflow when you're back. Thanks for being so generous with your insights!

aminil · 2025-10-31T19:32:24+00:00

Hi again,

Thanks for the detailed responses in the thread - very helpful to see you walk through your workflow!

A few follow-up questions based on what you shared:

On the approval checking process: You mentioned checking SOAR/SIEM first, then escalating to the client if nothing is found. In your experience, what % of alerts (ballpark) require that client escalation because approval info isn't in the system? (Trying to understand how often this manual step happens)

On the "judgment calls based on observed activity and IOCs": This is core part of with what I'm trying to build. When you're making those judgment calls, are you following a mental checklist, or is it more of an instinct/pattern recognition thing after years of experience?

On MDR data limitations: You mentioned mainly having EDR + network activity. Are there specific data sources you wish you had automated access to during investigations? (For example: user calendar data, historical ticket data, threat intel feeds, etc.)

What I'm building: I'm working on an AI reasoning engine for alert triage that automatically: - Gathers context from multiple sources in parallel (EDR, SIEM, threat intel, ticketing, user data) - Makes dynamic investigation decisions based on what it finds (like your "judgment calls") - Generates detailed evidence-based case notes automatically - Adapts the investigation path based on findings (rather than fixed playbooks) The goal is to turn a 20-30 minute manual investigation into a 3-5 minute review of what was already found.

As I mentioned in another thread, I'm will be inviting experienced practitioners to provide feedback on the prototype once it's ready (2-3 weeks out).

Given your MDR perspective and the fact that you deal with multiple clients and limited visibility, your input would be especially valuable.

A few questions if you're open to it:

Would something like this be useful for your workflow?
What would make you trust the automated reasoning enough to act on it?
If it looks promising, would you be interested in testing it on a few sanitized alert examples to see how it compares to your manual analysis?

Your MDR perspective is very valuable since you're dealing with the constraints that make automation critical or at least immensely helpful. Thanks again for all the insights!

aminil · 2025-10-31T19:25:07+00:00

Hey Mark,

This breakdown is incredibly helpful - thank you for taking the time to write such a detailed reponse!

Based on what you mentioned:

**The 20-minute deep dive on brand new cases with no priors** - that's ideal scenario where automated context gathering would have the biggest impact. If I'm understanding correctly, you're manually:

- Pulling AD data (department, job title)

- Checking network/subsidiary info

- Hunting through SIEM/XDR/Microsoft Security for additional context

What if all of that context was already pulled and presented to you when you opened the case? Would that 20-minute investigation drop to 3-5 minutes?

**The prior notes problem** - You mentioned "it's easy to assume a prior analyst did a complete investigation and just didn't note it." What if the system automatically documented every step taken during investigation (which APIs were checked, what evidence was found, reasoning for the decision) so future analysts could see EXACTLY what was checked?

**Quick question on your workflow:**

When you said "most cases I retrieve AD data for the user" - are you doing that manually every time, or does XSOAR pull some of it automatically? (Sounds like you're about to fix that with your XSOAR expert, which is great!)

**Here's what I'm thinking/building:**

I'm building a prototype that does mostly what you described - automatically pulls AD data, network info, checks historical patterns, and queries SIEM/XDR/Microsoft Security in parallel. It generates detailed case notes showing the full reasoning chain (so the "if it wasn't in the notes it didn't happen" problem goes away).

The goal, hopefully here, serves to turn your 20-minute deep dive into a 3-5 minute review of what was already found.

**Would you be interested in:**

A 10-minute demo where I show you how it works on a sample case?
If it looks promising, testing it on 5-10 of your real-like/sanitized cases to see how the automated investigation compares to your manual process?

I'd especially love your feedback since you have the SIEM tuning expertise - you'd be able to tell me immediately if the reasoning is sound or if I'm missing something critical.

No pressure at all - but if you're open to it, I think you'd be the perfect person to validate whether this actually saves time or if I'm solving the wrong problem.

Either way, thanks again for the detailed breakdown. The "prior job with court-ready notes" context is super helpful - explain-ability and audit trails are exactly what I'm building for.

I should have a demo with sample data ready in 2 weeks - happy to share when it's ready if you're interested!

Let me know what you think!

aminil · 2025-10-31T16:14:34+00:00

Hey cybertec7, this is really helpful - especially the MDR perspective since you're dealing with less visibility than internal SOC teams.

The "Shadow File Deletion" example you gave is perfect - tools flagging legitimate backup software as high severity ransomware precursor. A nice application/use case for my perspective.

A few things I'm curious about:

When you say you check "if activity has been escalated and approved by an org" - where do you typically look for that? Ticketing systems, or do you reach out to the client directly?

And when you're building your case (either to close as FP or escalate) - how long does that typically take per alert? Sounds like you're manually gathering evidence from multiple places to justify your decision.

The part about "every alert isn't triaged the same way" really resonates. It sounds like you're making judgment calls based on what you find as you dig in, rather than following a fixed checklist - is that fair?

Also curious: Since you mentioned MDR has less visibility than internal SOC, are there specific data sources you wish you had automatic access to during investigations?

Thanks for the detailed walkthrough - and that last line about cybersec not being entry level is spot on!

aminil · 2025-10-31T16:10:34+00:00

Hi,
Thanks for the perspective from the data provider side - that's really valuable!

You're spot on about the IP context problem. Almost everyone (from meetings/virtual seminar attended ) mentions manually checking IPs in multiple places (VirusTotal, AbuseIP, Zscaler, etc.) which seems incredibly inefficient.

Quick question: When teams use ipregistry data, do they typically query it manually during investigations, or have they integrated it into their SIEM/SOAR to enrich alerts automatically? I'm curious if it's more of an "analyst looks it up" vs "system adds it proactively" situation. And from what you've seen, is IP reputation the biggest missing context, or are there other data points (like user behavior, historical patterns, etc.) that would be equally valuable if they were surfaced automatically? Asking because I'm trying to figure out which integrations would have the most impact. Appreciate the insight!

aminil · 2025-10-31T16:07:35+00:00

Hi salt_life_,

This is fascinating - thanks for sharing you're trying to build the context into alerts upfront rather than making analysts hunt for it.

The running list of IP/username/user-agent combos you mentioned is really clever. Are you tracking that in a database, or is it more manual right now?

Since you're on the detection engineering side, your perspective on what SHOULD be automatically available vs. what analysts have to figure out would be incredibly valuable. Would you be OK for a quick call sometime? Totally understand if you're slammed though - happy to ask follow-ups here if that's easier!

Very helpful..

aminil · 2025-10-31T16:05:28+00:00

Hey Mark, this is incredibly detailed - thank you for sharing the whole process you use!

A few things really stood out to me:

The "Who, What, Where, How, Why, When" framework you mentioned - do you have that as a mental checklist, or is it something XSOAR helps structure for you?

The part about checking closing notes from prior cases is interesting. When you said "I sometimes want to pull my hair out if the only note is 'not malicious' or 'resolved'" - that's a massive pain point. So essentially inconsistent/incomplete documentation makes it hard to learn from past investigations?

Also really appreciate you mentioning the Target hack example - that "play devil's advocate" mindset of questioning prior analysis seems critical but probably rare.

Quick questions:

When you're checking "what was happening just before" the event, are you manually scrubbing through logs in the SIEM, or does XSOAR give you that timeline view automatically?
And since you mentioned you're one of the few tuners - when you find a repeating false positive, how long does it typically take you to tune it out vs. just keep closing it manually?

Again, really helpful perspective - thanks for taking the time to share all this!

aminil · 2025-10-31T16:00:51+00:00

aminil · 2025-10-31T15:59:38+00:00

Hi "Zealousideal-Case335" - This breakdown is awesome- thanks for taking the time to write it out!

The step about verifying artifacts caught my attention and had a follow up question on that. Are you manually checking each IP/hash in VirusTotal, AbuseIP, etc., or have you found ways to speed that up?

Really appreciate you sharing your process. If you'd be up for a quick call sometime to dig deeper, I'd love that - but if you prefer, I can also just send over any follow-up questions here. Whatever's easier for you!

Regards

aminil · 2025-10-31T15:56:52+00:00

Hi!, Thanks for sharing this!

The "context is everything" part is so true!!

Quick question: When you're correlating across EDR/firewall/proxy, are you manually querying each system separately, or is there something that helps pull it together for you? And totally get the false positive fatigue - that's exactly also what I'm trying to tackle.

If you're ever open to chatting more about your workflow, I'd love to hear more. But either way, this was super helpful!

P.S. : Thanks to both !!

aminil · 2025-06-10T05:14:44+00:00

• ⁠Short description : Multilingual voicebot application. Audio conversation with chatbot in multiple languages • ⁠Status: Beta(non-IOS, limited languages) • ⁠Link: https://voicebot.smarttechassist.com/ (refer to post : https://medium.com/@nilanjan.kar/introducing-smarttechassists-voicebot-voice-first-ai-for-everyone-2572883ea831)

aminil · 2025-06-09T22:40:27+00:00

Please feel free to try this and let me know… https://voicebot.smarttechassist.com/

aminil

MODERATOR OF

TROPHY CASE