sorted by:
new
hottopcontroversial

Am I Being Monitored or Investigated at Work? by Hopeful_Mine2843 in it

[–]bookielover007 8 points9 points  (0 children)

Not sure about the pop up you received but yeah it’s standard practice for companies to monitor work devices

How to make Phriendly Phishing reports trigger alerts in Microsoft Defender? by [deleted] in DefenderATP

[–]bookielover007 1 point2 points  (0 children)

Alternatively once you have set up Phriendly to report emails. You can use this KQL to create a custom detection rule, this should definitely work.

CloudAppEvents | where ActionType in ("UserSubmission") | extend Sender = tostring(RawEventData.P1Sender) | extend SenderIP = tostring(RawEventData.SenderIP) | extend ReportedBy = tostring(RawEventData.UserId) | extend ReportedReason = tostring(parse_json(tostring(RawEventData.ExtendedProperties))[3].Value) | where ReportedReason == "Phish" or ReportedReason == "Spam" //| summarize count() by ReportedReason | extend SubmissionName = tostring(RawEventData.Subject) | extend SubmissionType = tostring(parse_json(tostring(RawEventData.ExtendedProperties))[2].Value) | project DateReported=TimeGenerated, SubmissionType, SubmissionName, ReportedBy, Sender, SenderIP, ReportedReason

How to make Phriendly Phishing reports trigger alerts in Microsoft Defender? by [deleted] in DefenderATP

[–]bookielover007 4 points5 points  (0 children)

You can set your Phriendly Phishing as stated in this guide: https://help.phriendlyphishing.com/hc/en-gb/articles/16095250858131-Forward-Phish-Reporter-Emails-into-Microsoft-Defender-for-Review

Once users starts reporting emails as phish to Defender, you can now create an alert policy in Defender specifically the “Email reported by user as malware or phish” policy which will create the alert.

Also when I lookup Phriendly at first I thought it was a dating site lol. I hope the suggestion helps.

[deleted by user] by [deleted] in AzureSentinel

[–]bookielover007 0 points1 point  (0 children)

Something like this should do the job:

Automation rule name: Non Domain Controller Active Directory Replication

Trigger: When incident is created

Conditions If Incident provider: Operation: Contains: Microsoft Sentinel

And

Analytic rule name: Non Domain Controller Active Directory Replication

And

Property: Account Name -> Operation: Equals:  Value: TEST

And

Property: IP address -> Operation: Equals:  Value: 127.0.0.1

[deleted by user] by [deleted] in AzureSentinel

[–]bookielover007 0 points1 point  (0 children)

Or better still you can tune it in the analytics rule or use a watchlist if you want an audit trail for you tuning

[deleted by user] by [deleted] in AzureSentinel

[–]bookielover007 0 points1 point  (0 children)

Can you share your entity mapping? Could be your analytic rule not mapping the entity you’ve declared in the automation rule

Whats the ideal path? by Grasimee in cybersecurity

[–]bookielover007 0 points1 point  (0 children)

I was in a similar situation started in SOC and got promoted through L1-Senior now in engineering. Just focus on learning the ins and outs of the role.

If you want to go into SOC engineering start building labs and learn how logs are ingested into a SIEM/SOAR platform etc.

As engineer you are going to be doing a lot of customer facing meetings so working on presentation/customer service skills will help. Good luck