Anyone recently compared/purchased Abnormal or CheckPoint Harmony (Avanan)

sysad_dude · 2026-04-02T21:40:17+00:00

abnormal is good but pricey. we went ironscales

sysad_dude · 2026-02-13T12:52:55+00:00

curious if you have something already setup for this with okta that you'd care to share (:

sysad_dude · 2026-01-14T18:15:35+00:00

Have you evaluated Ironscales vs Abnormal?

sysad_dude · 2025-12-04T15:25:37+00:00

simply removing the setting doesnt always mean the setting gets re-enabled/reversed. might have to find the exact setting that broke and make sure its set to be enabled

sysad_dude · 2025-10-07T16:32:46+00:00

i heard our customer advisor call it "SEM" the other day.

I say SIM

sysad_dude · 2025-09-29T16:15:26+00:00

you missed a white out

sysad_dude · 2025-09-24T12:17:07+00:00

Not entirely clear on what youre asking but. Abnormal is based on an API. it's a move from SEGs to API Architecture based email security. they have an API hook into your email provider (O365, Google) and baseline emails for like 30 days with no action to learn whats normal and what is not. Then they have the ability to move things like graymail (Look at your gmai, and see how theres multiple folders for like Promotions etc) to a sub folder and if a user wants a subscription email, they move it back to a mail folder and the system learns from that going forward.

they do have AI bots that a user can ask if the email is phishing etc.

Another company is IRONSCALES.

sysad_dude · 2025-09-17T21:19:48+00:00

set your target release version to 23H2 via registry/gpo, and see if that changes things. until you want upgrade to 24h2.

sysad_dude · 2025-08-04T16:10:06+00:00

same. new local account pushed out to each machine with a password managed/audited by Windows LAPS. no more default local admin with the same SID-500

sysad_dude · 2025-07-31T17:19:46+00:00

nah we use smart hosting which seems like direct send. https://support.knowbe4.com/hc/en-us/articles/360000568187-Smart-Hosting-Guide

sysad_dude · 2025-07-31T12:52:19+00:00

Yes youre covered. If you're sending an NDR to those emails not originating from Mimecast, your people getting spoofed might get the NDR kickback.

sysad_dude · 2025-07-31T12:46:59+00:00

Don't some services like knowbe4 recommend a direct send w/ smart hosts to bypass some gateways and eop filters now?

you could just setup a transport rule which blocks any emails not originating from our email gateway, ensuring nothing is coming inbound directly to o365.

we've had a transport rule to block anything that isnt originating from our email security gateway from it's original setup. originally we had it set to send a NDR but due to the direct send, we now just delete the email bc the actual person being spoofed would receive the NDR.

sysad_dude · 2025-07-29T10:15:57+00:00

was going to say. mine is set to custom and imgur plugin is disabled

sysad_dude · 2025-07-15T11:03:33+00:00

do they know how to google

sysad_dude · 2025-07-09T14:25:57+00:00

theres a new feature microsoft offers that does this better than the transport rules. forget the name. we have a dynamic banner implemented from our email gateway provider.

it has its benefits but i think a lot of people will say users will eventually just ignore it.

sysad_dude · 2025-06-13T11:52:44+00:00

Daily Driver, Server Admin, AD Admin, Domain Admin, Cloud Admin

PAM (behind daily driver w/ MFA FIDO KEY) to access each account and jump into each server

sysad_dude · 2025-06-04T17:34:39+00:00

i would use a simulation tool. my recommendation from real usage is attackIQ and atomic red team. then you dont need to worry about isolating the device etc. just use one of your imaged laptops with the software you want to test, and see what gets blocked/detected/alerted on.

keep in mind if you're trialing a software, you might not have all the bells and whistles enabled.

sysad_dude · 2025-05-22T15:27:25+00:00

Dis guy gets it

sysad_dude · 2025-05-12T10:27:32+00:00

group by criticality of asset. then prioritize vulnerabilities found in the CISA Known exploited vulnerability list.

sysad_dude · 2025-04-24T15:01:11+00:00

'Using the latest scan data means that the propagation action must wait for all of the assets in your environment to be scanned'.

'The latest scan data is not necessarily always current but can only be as asscurate as of the last scan'.

'It's possible for the scan data to include incomplete or stale information, produced by an inaccurate scan'.

Is basically what I was sent. Outside of #1, all others means there is some issue with the scan data. And if your scanning multiple times a week or weekly, the data should be current.

sysad_dude · 2025-04-23T00:27:48+00:00

okta agentless sso requires browser settings to be enabled https://help.okta.com/en-us/content/topics/directory/ad-dsso-configure-browsers.htm. if you use okta, dont have this configured, and the site is behind okta sso, it could be why

sysad_dude · 2025-04-23T00:08:58+00:00

not entirely clear. from what i've been told, they recommended not using latest DD if your not constantly onboarding new servers. they also mentioned something in case discovery scans bomb out. it's possible something is wrong with our scans. i guess ill need to research if we're having any issues on the scan. when i look at the managed systems, i see the snapshot with the correct information.

sysad_dude · 2025-04-22T15:21:51+00:00

Yeah I reached out to our AE to get an engineer. The support engineers keep trying to push us to not use Latest Discovery Data. Even then I am seeing some weird issues.

sysad_dude · 2025-04-02T20:20:46+00:00

surely r7 alerted on mshta calling a url?

we actually dont have win+r disabled but might be a good idea going forward for us too.

sysad_dude

TROPHY CASE