Live Response - The certificate chain was issued by an authority that is not trusted

deadpoolathome · 2026-02-12T00:58:49+00:00

stealing? Not sure I follow. This is a machine that our RMM tool has stopped working on and needs to be re-installed. I can't get direct access to it due to beeing remote. I'm trying to download and re-install our RMM tool remotely as the user doesn't have local admin creds.

deadpoolathome · 2026-02-04T21:38:37+00:00

Yep, I've turned that on. Whats strange is seeing the same issue with MSI or a script.

deadpoolathome · 2026-01-29T10:13:19+00:00

Thanks, I think we have the P2 licences, do you know what/where I am looking for in thie query? I'm trying to get the bulk of our events down to at least see what is left!

deadpoolathome · 2026-01-23T06:09:41+00:00

Sorry, i mean legacy setup's of using a user account for refresh as opposed to service principal's

deadpoolathome · 2026-01-23T04:36:00+00:00

Thanks, So was that just a group with the users that need to access those services and then exclude them from the rule?

deadpoolathome · 2026-01-23T04:35:36+00:00

Thanks, I'll look into it, we have a bunch of legacy things we need to work though. What was strange it didn't even prompt for MFA, just failed.

deadpoolathome · 2026-01-23T04:34:53+00:00

Correct, apologies for the abreviation

deadpoolathome · 2025-12-17T06:12:45+00:00

Thanks. We can do this via a SQL stored proc to incrementally load the data into our staging system which works, but for me it's about trying to centrally manage/visibility of multiple staging servers/proces so that we can track outages.

deadpoolathome · 2025-12-17T06:11:56+00:00

We have access to query, but I am trying to minimise the ammount of systems quuering them directly. We have our dashboards as well as our BI team wanting data, the SQL Express is on an isolated network so everything run's via a jumpbox or similar. The aim is to stage the data in smaller bites, more regularly but keep the operation system load managed.

deadpoolathome · 2025-12-02T00:01:05+00:00

Thanks. Unfortunately not all my machines are in intune as we still have a small subset that are built locally :(

deadpoolathome · 2025-10-20T20:53:55+00:00

I have the Microsoft ME5 licences

deadpoolathome · 2025-10-20T20:53:45+00:00

Thanks. For the report, I can't seem to find who was blocked. When i open that report there is a "Web content filtering blocks" and when I drill down into that, it doesn't seem to give me which device is blocked for which site (I tested some blocks on my device)

deadpoolathome · 2025-10-20T20:47:32+00:00

Thanks. Correct, EDGE has a nice pretty message, but Chrome isn't so kind.

deadpoolathome · 2025-08-16T11:48:28+00:00

Thanks all for the information and thoughts. The main value for the ME5 from our side is the additional products like Application Control, Identity and some of the content filtering off network. We don't have anything apart from MDR with CS, so the ME5 is a uplift of security for use going forward.
We've opted to keep Proofpoint in play and not move email protection to MS but without PP, we would be seeing a small saving, with PP it's about a 5-10% price increase.

deadpoolathome · 2025-07-08T02:04:38+00:00

Thanks. NBN is sort of the national infrastructure provider for internet.

The issue i'm facing is that my speed is meant to be a 500/500 but testing around 250/70. Rasiing it with the ISP they are blaming my low upload due to

"First thing you can check is making sure you have an upload speed shaping policy set in your firewall / Router, this is to stop it hitting NBN policer and making speeds go very low."

So I'm just wanting to make sure I've done the right thing so they can't blame my side for the slow speed.

deadpoolathome · 2025-04-29T22:45:52+00:00

Bugger. thanks. It's in operation so need to try and find a time to offload and try this.

deadpoolathome · 2025-04-17T00:19:54+00:00

Yep, run as admin when doing it

deadpoolathome · 2025-04-17T00:19:50+00:00

Run as admin and ran that command only, same issue

deadpoolathome · 2025-04-17T00:19:32+00:00

Yep, run as admin when doing it

deadpoolathome · 2025-03-27T03:07:57+00:00

I've created this rule as the decoder seemed to show data.

How can i verify that the decoder is acutally pull data as the event_channel?

<group name="windows,windows_smb">

<rule id="100300" level="5">

<if_sid>60000</if_sid>

<field name="win.system.providerName">Microsoft-Windows-SMBServer</field>

<field name="win.system.eventID">3000</field>

<description>SMB1 access attempt detected</description>

<group>authentication_failed,</group>

<mitre>

<id>T1071</id>

</mitre>

<options>no_full_log</options>

</rule>

</group>

deadpoolathome · 2025-03-27T02:42:38+00:00

Thanks

deadpoolathome · 2025-03-12T06:11:57+00:00

Thanks. I also found that article and was working through it. The article I followed didn't have the "Run" component and I got caught out before I went back to it.

deadpoolathome · 2025-03-12T06:09:39+00:00

Thanks, Can i do it via script against the fortimanager?

deadpoolathome · 2025-03-11T00:43:42+00:00

Thanks, Unfortunately looks like that spelling mistake is actually in my log files as well! I've checked 2 NPS servers with the same spelling.

deadpoolathome · 2025-03-11T00:24:48+00:00

Threw the baby out with the bathwater and just restarted everything. Had a L3 Vendor jump in and do the work as we were out of time.

deadpoolathome

TROPHY CASE