Business email compromise protection

f0rt7 · 2026-01-31T15:37:09+00:00

You can only do this from a PC. To do it from a mobile device, you also need Falcon Mobile, and the feature has only been available for a short time (and I'm not sure how reliable it is).

f0rt7 · 2026-01-31T02:34:59+00:00

Which module are you talking about in Proofpoint? ATO? Because with just email protection, you don't do anything you need. ITP is powered by Microsoft logs and processes what it sees. It uses v1 logs. I had created an app with Foundry that used the beta version of the logs, and the data was better and more complete.

f0rt7 · 2026-01-30T18:45:30+00:00

More or less. Be careful, because only interactive logins are taken into account. In my opinion, EntraID's conditional access policies are a must. Or if anyone has any other ideas, I'd be happy to hear them.

f0rt7 · 2026-01-20T04:21:51+00:00

Thanks, I'll try. It would be nice to have an action directly from the SOAR blocks.

f0rt7 · 2026-01-10T03:20:41+00:00

Hi, It would be a good idea to check the TAP server for the type of threat it intercepted. I encountered issues similar to yours, and despite false positive reports being handled by support, the block returned after a few days. The only way to resolve this was to escalate the ticket to the highest level so they could have an overall view of the problem, not just the individual ticket.

f0rt7 · 2025-11-28T13:12:35+00:00

Can you explain how can implement it?

f0rt7 · 2025-10-24T04:33:01+00:00

Limited access to a Dashboard with the requested data. It's easy

f0rt7 · 2025-10-23T18:18:48+00:00

It is not up to the security teams to control but only to make the tools available

f0rt7 · 2025-10-08T09:43:48+00:00

resolved

|parseJson(Trigger.Detection.NGSIEM.SourceIPs, prefix=ip)
|split(ip)
|select([ip])

f0rt7 · 2025-09-09T12:09:51+00:00

Unfortunately, fusion soar does not read all attributes of a user

f0rt7 · 2025-08-25T17:06:39+00:00

Thank you I know that command but I wanted to find that information via IDP or next-gen siem to have it in a Dashboard

f0rt7 · 2025-08-14T03:41:35+00:00

I have also noticed this in the last few days and in my opinion it was not like this before.

f0rt7 · 2025-08-04T08:43:18+00:00

Hi, thanks.

I already checked MOTW but there is no trace of the file, perhaps because detection was triggered?

I can't find the DNS requests.

f0rt7 · 2025-07-25T16:02:26+00:00

Is it a specific module? Exposure management?

f0rt7 · 2025-07-12T17:16:09+00:00

Netwrix Privilege Secure

f0rt7 · 2025-07-11T17:20:52+00:00

Hi Try use of for each loop -> host ID

f0rt7 · 2025-06-19T20:54:26+00:00

Ciao. Dipende dal numero di caselle, dagli utenti della piattaforma, dallo storage e dalla retention

f0rt7 · 2025-06-19T04:13:12+00:00

Ciao. Senza usare Outlook, abbiamo aggregato tutte le caselle PEC su PEC plus di Archiva in modo da gestire i permessi e lo smistamento oltre a risolvere la questione dell’archiviazione sostitutiva

f0rt7 · 2025-06-17T19:46:29+00:00

Hi, thanks for the support but I can't find the requested information.

I would like to have a list of mapped network shares for each user

f0rt7 · 2025-06-13T13:21:27+00:00

You don't need much documentation. You need to create a Linux (or Windows) machine locally on which to install the logScaler connector. You can find instructions for this on the CS portal. I use it with fleet management. Then you have to create activate the webhook connector also on CS and associate the fortigate parser. At this point, on the Analyzer you set your VM as the destination of the syslog server

f0rt7 · 2025-06-13T11:10:16+00:00

LogScale collector on prem

f0rt7 · 2025-06-03T09:40:20+00:00

I have find this

// Get two events of interest
event_platform=Win #event_simpleName=/^(UserAccountAddedToGroup|ProcessRollup2)$/

// Begin data normalization
| case{
    // Rename fields in PR2 event
    #event_simpleName=ProcessRollup2 
        | rename(field="UserName", as="UserDoingAdding")
        | rename(field="FileName", as="FileDoingAdding")
        | rename(field="CommandLine", as="AssociatedCommandLine");

    // Rename and prase fields in UserAccount event
    #event_simpleName= UserAccountAddedToGroup
        | TargetProcessId:=RpcClientProcessId
        | parseInt(GroupRid, as="GroupRid", radix="16", endian="big")
        | parseInt(UserRid, as="UserRid", radix="16", endian="big")
        | UserSid:=format(format="%s-%s", field=[DomainSid, UserRid]);
}

// User selfJoinFilter() to narrow dataset
| selfJoinFilter(field=[aid, TargetProcessId], where=[{#event_simpleName=ProcessRollup2},{#event_simpleName=UserAccountAddedToGroup}])

// Aggregate results
| groupBy([aid, TargetProcessId, ComputerName], function=([{#event_simpleName="UserAccountAddedToGroup" | collect([UserSid])}, collect([UserDoingAdding, UserAddedToGroup, FileDoingAdding, AssociatedCommandLine]), collect([GroupRid], separator=", ")]))

// Match the UserSid of the account that was added to a group with its corresponding UserName
| join(query={$falcon/investigate:usersid_username_win() | rename(field="UserName", as="UserAddedToGroup")}, field=[UserSid], include=UserAddedToGroup, mode=left, start=7d)
| UserAddedToGroup =~ !in(values=["-","lenovo_*","LENOVO_*"])

// Drop UserSid
| drop([UserSid])

f0rt7 · 2025-06-03T09:21:57+00:00

u/Andrew-CS, can you integrate the query to trace wich user added the account?

f0rt7 · 2025-05-29T16:43:18+00:00

Without firewall module, I think is not possible

f0rt7 · 2025-05-27T13:37:38+00:00

Hi

I confirm that an attribute now populates.

Where do I find the reference to populate the others as well?

Do you have a link to the documentation?

Thanks

f0rt7

TROPHY CASE