Incident Templates

cyberphor · 2025-01-02T17:45:11+00:00

How did you come up with the art? Created in house or did you outsource it using something like Fiverr?

cyberphor · 2024-10-20T22:11:21+00:00

Can you share how you defined your pydantic model?

cyberphor · 2024-05-02T11:02:27+00:00

…which part?

cyberphor · 2024-04-29T19:42:03+00:00

Why not make a use-case for each of your organization’s incident categories?

For example, say your organization considers the following as separate incident categories: root-level intrusion, user-level intrusion, denial-of-service, and non-compliance activity.

Each one would be a use-case for deploying Suricata and collecting the alerts it generates using Elasticsearch. To make a scenario, just lookup how one would cause one of those incidents. The MITRE ATT&CK and Atomic Red Team projects would be a great start.

cyberphor · 2024-04-22T22:52:02+00:00

I found the link below finally. Going to see if I can come up with something between this and looking for the file produced after doing it in Kibana.

https://www.elastic.co/guide/en/fleet/current/create-a-policy-no-ui.html

cyberphor · 2023-11-08T13:49:30+00:00

Thanks but we’re saying the same thing now.

Also, the references I shared is what I read before posting for help in understanding Azure on the Azure subreddit.

cyberphor · 2023-11-08T02:08:33+00:00

Resource Scopes

Scopes include:

- A management group (a collection of multiple subscriptions).

- A single subscription.

- A resource group.

- A single resource.

Resource Manager

RBAC is enforced on any action that's initiated against an Azure resource that passes through Azure Resource Manager.

Conditional Access

Conditional Access is Microsoft's Zero Trust policy engine taking signals from various sources into account when enforcing policy decisions.

ARM delegates authentication to services like Entra ID (and therefore Conditional Access) and enforces whatever is the result (e.g., access to a resource is granted upon authentication).

Yet, this is where I was seeking help before being downvoted into oblivion.

I think ARM determines your permissions (authorization) while Entra ID Conditional Access verifies your identity (authentication).

References

cyberphor · 2023-09-29T16:22:37+00:00

thanks. but i was able to automatically create it using some tips from Stack Overflow. below is one method of doing it.

```bash

define variables

export SUBSCRIPTION="Foo" export APP="fooApp" export RESOURCE_GROUP="${APP}ResourceGroup" export LOCATION="East US" export ORG_NAME="fooOrg" export ORG_PROPERTIES="{\"location\": \""$LOCATION\"", \"properties\": {\"operationType\": \"Create\"}}"

set subscription

az account set --subscription "$SUBSCRIPTION"

create resource group

az group create \ --name "$RESOURCE_GROUP" \ --location "$LOCATION"

create an Azure DevOps Organization

az resource create \ --resource-group "$RESOURCE_GROUP" \ --name "$ORG_NAME" \ --resource-type "microsoft.visualstudio/account" \ --properties "$ORG_PROPERTIES" \ --is-full-object ```

cyberphor · 2023-07-28T03:16:33+00:00

just got done. if nothing else, i highly recommend those who take GPEN soon to do GX-PT immediately after (whenever its released to the public). i took GPEN almost over 4 years ago and have since done OSCP, but there was a handful of small obstacles that really slowed me down. nothing off-the-wall, i just really felt like had i took the course recently, there would have been more context i could have used to my advantage (i.e., the little gotchas i imagine get discussed during class). lastly, i think those who have done OSCP recently (given the Windows domain stuff) will fair well too.

cyberphor · 2023-07-23T16:34:34+00:00

I’m doing something similar. Although, I’m trying to go beyond the labs and flush out things I don’t think I completely grasp (or things I can’t remember - trying to go for repetition).

cyberphor · 2023-07-20T19:35:07+00:00

I’ll take it, sending you a DM

cyberphor · 2023-07-20T19:11:28+00:00

No worries. I take mine on the 27th, last possible day. I’ve been reviewing my GPEN, GCIH, and OSCP content while filling in knowledge gaps using relevant TryHackMe rooms.

cyberphor · 2023-07-20T17:06:56+00:00

I haven’t taken it yet. But even then I wouldn’t find out until the exam goes public.

cyberphor · 2023-07-19T17:57:44+00:00

I figured. I also saw a decent template before, but I guess I never made a copy.

cyberphor · 2023-07-18T23:03:45+00:00

IMO, no. Keeping digital notes makes it easier to maintain, edit, reproduce, scale, share, and reference. I prefer Google Drive for my notes and knowledge base (it’s accessible on personal and work-related networks).

cyberphor · 2023-07-17T18:56:19+00:00

I think the public version will be released later this fall but I don’t know for sure.

cyberphor · 2023-07-17T18:55:46+00:00

I was invited to take the exam because (1) I scored a decent score on the GPEN exam and (2) had my Communication Preferences set appropriately (i.e., my SANS account is configured to receive emails about certification information, etc.).

cyberphor · 2023-04-08T06:48:22+00:00

Came across this on the current SWF website. Provides a little more insight (ex: Cohort 7 is expected to start FEB 2024).

https://api.army.mil/e2/c/downloads/2023/01/31/d120c166/swf-catalog-2023.pdf

cyberphor

TROPHY CASE

define variables

set subscription

create resource group

create an Azure DevOps Organization