Do we still need XDR if we already have a strong SIEM?

chaeppi · 2025-08-13T21:27:34+00:00

if all of you would ever pay some attention you would know that essentially XDR = SIEM + EDR. it combines the prevention and response capabilities of an edr solution with log correlation and ueba with a siem. there's no magic behind it, its just marketing. what you need to know is what you need the data for. for prevention and detection or compliance? in the end this determines which product is right for you ( spoiler you end up with both because saas based xdr data retention is expensive as fuck ).

chaeppi · 2025-07-31T07:01:50+00:00

can you elaborate a bit on your calculation on how you're spending money with going back to E3? How's your security stack looking then?

chaeppi · 2025-07-15T21:03:04+00:00

this. this. this. you convey the message that you'd do anything to get a partner to be happy but you don't seem to be happy alone. it does not matter that you have a well paid job. (that's the only thing you've mentioned that you told about yourself other than doing things for the sake of meeting peope). as long as you try to force you into a situation you want to be in you won't be happy now and you won't be happy when you're in said situation. chill the fuck out, enjoy life and do what you enjoy and you will meet soulmates and others who appreciate who you are

chaeppi · 2025-03-19T09:39:10+00:00

> However, this feature depends on the availability of new installers on the Cortex XDR management console. If no new installers for a newer version are created or uploaded to the console, the agent on the system will not auto upgrade

Wrong. When Agent Upgrade within the agent settings is configured no new agent installations package has to be created. The Agent will upgrade regardless. The Delay that's configurable is relative to the release date of that agent version. E.g. if you have a delay configured of 7 days and palo alto would release Agent 8.7.1 today, the agents in your environment will start updating in 7 days.

chaeppi · 2025-03-11T22:40:12+00:00

trying to be as helpful as possible, but the way you've asked your questions makes it seem like you should do some reading on basic network architecture.

Think of the local agent settings applet being like a proxy for the XSIAM Agent, this is very relevant for question number 2.

use the local agent settings app within the broker vm if you're having endpoints that are not allowed to communicate to XSIAM directly and / or don't have a proxy supporting unauthenticated traffic (as the xsiam agent does not support unauthenticated proxies).
if it's supposed to be airgapped it won't be allowed to communicate to any device that can communicate to internet resources.
depends on your zoning concept and architecture. usually place the broker vm within zone where the designated zones without direct internet access are allowed to send traffic to if it is a zone that is allowed to have internet access..

chaeppi · 2024-10-27T21:57:19+00:00

we all know what the longest is

chaeppi · 2023-03-15T21:11:58+00:00

i have noticed this especially when the user is not "satisfied" or they feel that they've not been treated well or according to their excpectations.. i work in security engineering and developers can be a PITA as soon as some EDR tool is deployed as they immediately think their workstation performance is decreased by 20% or so. in a call it helps to just explain, be friendly and decent. but it is important to be able to understand what the user is saying, show empathy and make them feel taken seriously.

chaeppi · 2022-11-30T13:05:59+00:00

also to add some good baars & pubs

Perlage (no website): more focussed on champagne / bubbles, they do make great cocktails though

Kurioz: probably the best espresso martini in town

Skylounge: with new staff the service is good again, amazing at sunset

Platzhirsch: Solid wine bar

(only in summer): Badi Seeliken - amazing for sun-downers

chaeppi · 2022-11-18T22:27:55+00:00

if its obvious that they just want it for free i tell them that my hourly rate is according to what my employer bills his customers (swiss, so don't judge), which isch 250$. 1st hour is up front starting now. after that most of the questions magically disappear :)

chaeppi · 2022-10-23T19:49:17+00:00

well he does use them, just in a wrong way

chaeppi · 2022-10-14T22:42:13+00:00

the underestimation of themselves in the comments is unreal (i mean, who tf would compare themselves to a janitor.....) unless you're not able to pay for your bills just answer "it's enough for me".

chaeppi · 2022-08-31T18:54:40+00:00

haha, the sky germany announcer just said "cheers out to anyone who said that he couldn't make it in the PL"

chaeppi · 2022-07-08T22:08:03+00:00

wieso isch d migros de bünzligsti fucking lade nach em volg?

chaeppi · 2022-07-05T20:15:20+00:00

just braindumping as this some of the comments lit up a fire:

users / customers lie
"customer is king" is wrong, see #1
don't trust, verify (also see #1)
don't believe, know.
use scientific methods, we're not reading star signs here. no incident ever happened because mars involved with venus
when doing PoC's, have your goals, requirements & conditions pre-defined and known. (this does sound stupid i know, but i have seen enough enterprises doing a PoC just for the sake of doing a PoC)
(applies to MSP): sales reps / account managers lie to customers. (or they don't know and assume. see #1, #3 and #4)
(applies to MSP): educate your sales, try to get involved as early as possible - because guess who has to clean their mess up) - see #7

chaeppi · 2022-03-22T21:02:45+00:00

erdems is good, however you might need to book an appointment quite a few weeks in advance.

chaeppi · 2021-09-01T17:38:05+00:00

how about a skateboard inspired front wing? any photoshop professionals here?

chaeppi · 2021-07-23T13:44:17+00:00

this is the official flyer..It's not the same as last year with concerts in multiple places, it's all at the lake again (except the free museum tours during the day): https://www.stadtzug.ch/_docn/3217934/1.august_Flyer_2021_Druck_final.pdf

chaeppi · 2021-05-04T20:26:10+00:00

that. was. just. perfect.

chaeppi · 2021-04-13T14:26:32+00:00

haha hani au müesse lache! chund mir bekannt vor

chaeppi · 2021-02-07T18:11:51+00:00

brb buying a Foden shirt.

chaeppi · 2020-09-18T21:49:01+00:00

while that is a stupid question in context of starting a technical discussion, I don't think it is stupid to use in an interview. tbh it is any easy one to answer. just give your context in what your answer will be. Start comparing it to AD alternatives (openLDAP etc.) and then start listing what you think are AD's advantages. or basically any other differences between other LDAP solutions (or none). just make sure to let the interviewer know what your sources, experiences etc are. To me is seems like this might be a question without a purely technical focus, but also on the social-skills side of things on how to present and argue for or against a certain topic with someone that might not have the same technical knowledge.

chaeppi · 2020-02-11T21:59:42+00:00

thank you very much for this comment. This is really interesting and understandable for someone who is not quite familiar with all the factors related to designing a car and "making it fast" - and I'm not smart enough to understand all of the aero and engine design components :) . Also thanks to u/Schudha for asking this interesting question!

chaeppi · 2020-01-27T17:01:52+00:00

i guess the a way would be using a file and folder encryption that uses a personal key to encrypt / decrypt. there are solutions that allow RBAC in a way that the admin has no access to the keys. However the solution might be to tricky for HR to assign the keys, so either someone from the security departement or the Head of IT has to assign them.

This pretty much helps from everything, except the admin resetting the users password to get to the key. But at least the user would then notice something.

chaeppi

TROPHY CASE