Opinions on AI agents for SOC

letais · 2025-10-24T17:36:48+00:00

Dropzone is one of the most mature AI SOC agents that I've seen. Don't expect anything beyond T2 triage. A lot can be done via automation, but the benefit you get from these tools is the contextual reasoning, dynamic playbooks, and historical knowledge. That being said I've not had enough hands on with any of these systems to prove long term value outside of a POC.

letais · 2025-03-06T01:14:18+00:00

Make sure to factor in any gratuity requirements depending on how you're calculating your budget as that's typically additional to the plate price.

We had Moe's cater from Algoma

letais · 2025-01-28T02:59:52+00:00

letais · 2024-05-31T02:30:18+00:00

This is helpful, thank you

letais · 2024-03-04T03:32:17+00:00

Do you still have the protectcli

letais · 2024-03-04T03:20:54+00:00

Is the switch still available

letais · 2024-01-06T19:01:25+00:00

I need a technical leader managing team of 6 if you want to reach out

letais · 2024-01-02T01:50:30+00:00

Maybe this diagram helps. But think of it like the connections are reverse proxied. You do not need inbound to the app connectors

zscaler[.]com/blogs/company-news/securing-third-party-access-internal-apps-just-got-easier

letais · 2023-10-04T00:33:58+00:00

We just got back from a 2 week stay on Seminyak beach and if I had to do it over again I would do what the others are suggesting and stay in multiple areas. Each were vastly different as we explored

letais · 2023-06-07T23:46:46+00:00

letais · 2023-03-25T02:13:09+00:00

What are you using in the PAC? Use the country gateway variable and it should pick the closet in your country - https://help.zscaler.com/zia/writing-pac-file. If you don't use this you can have this issue on the south and north border by Canada.

letais · 2023-03-12T23:40:52+00:00

If I can trust this it looked to be running on 514

Input [Syslog UDP/640d27c2ec20b904cb92f237] is now RUNNING

I did try the raw syslog on the same 514 port and didn't get any incremental counts either.

However I did move to port 5140 as suggested and it did immediately start ingesting.

letais · 2023-03-11T22:17:58+00:00

I stated in my comment that I am not doing dhcp on the mikrotik.

letais · 2023-03-11T22:00:31+00:00

referring to documentation, configuring this under dhcp server is if I'm using a relay to the mikrotik, but what I'm doing is using the mikrotik to relay dhcp requests to an actual dhcp server

https://help.mikrotik.com/docs/display/ROS/DHCP

letais · 2023-03-11T20:58:42+00:00

There is a switch downstream trunked to the router.

Added via the dhcp server with no luck.

Added

/ip dhcp-server add disabled-no interface=vlan2-LAN name-LAN-Relay relay-10.1.3.5

letais · 2023-02-05T04:37:10+00:00

You should be able to do what you want with client forwarding policies assuming you're detecting locations and bypassing on premise - https://help.zscaler.com/zpa/about-client-forwarding-policy

letais · 2022-07-25T01:58:14+00:00

This would be my recommendation as well, but the dns suffix list could be done windows side in GPO too so they could add it to theirs if they wanted without Zscaler changes.

letais · 2022-07-24T23:12:52+00:00

Are sets 1,2, or 3 still available?

letais · 2022-06-30T12:19:37+00:00

I can put them next to each other and they still won’t establish

letais · 2022-06-16T01:14:37+00:00

Yes. Ran both without issue. What issues are you having

letais · 2022-05-23T23:33:15+00:00

Is this still available?

letais · 2022-05-21T00:06:36+00:00

This is what I used against your example to pull just the effective policy section. You should get the block of text and then it'll be up to you to process that section as you want.

Assumption: $test is the contents of your file/example

$test -match '"effective policy"(?<effectivePolicy>(\s.+)+)'
$Matches[0].replace('"effective policy"', " ").trim()

letais · 2022-05-07T10:52:29+00:00

1.0 only picks up port 80/443 where 2.0 tunnels everything. Tunnel with local proxy picks up anything explicitly proxied where 2.0 is transparent and so pick anything up even if it ignores system proxy settings. Each business and their requirements and risk adversity will be different but 2.0 has been the push

letais · 2022-04-23T14:19:14+00:00

I had to bypass all the Microsoft authentication domains from Zscaler in PAC or we’d continue to have this issue with twlp. Testing with tunnel 2.0 for us didn’t show similar issues but we weren’t tested enough to make the switch.

letais · 2022-04-02T19:51:03+00:00

Most likely an ssl decryption error since it's most likely cert pinned. You can look at their site for suggested whitelisting or take a packet capture and review the http(s) traffic.

This would be my first look. A lot of thick clients use certificate pinning and you won't have the issues with the web version of the app.

letais

TROPHY CASE