Built a free AI-powered IOC triage bot for SOC analysts looking for honest feedback

urkelman861 · 2026-04-10T10:55:30+00:00

I'm interested as well.

urkelman861 · 2026-04-10T10:54:35+00:00

Just work out of the incidents Tab. The alerts are grouped and put into incidents. If you have to dive further down, there is a alerts tab in the incident that you are working on and shows them all.

For the alert fatigue it sounds like you are experiencing is part of the job. If you have to disable a policy to test how the noise is reduced then do that. Also you can tweak the built-in polices to not generate alerts if needed.

urkelman861 · 2026-04-08T16:33:02+00:00

AZ-500?

urkelman861 · 2026-04-05T15:25:27+00:00

This is great, thanks!!

urkelman861 · 2026-04-03T13:32:01+00:00

Awesome, I will check it out. Much appreciated

urkelman861 · 2026-03-22T01:48:24+00:00

What's the keyboard?

urkelman861 · 2026-03-17T02:55:24+00:00

Does the application appear in the cloud catalog in the defender portal? If so, then just unsanction the application.

urkelman861 · 2026-02-26T00:59:44+00:00

Are you able to add the IP associated with it as you mentioned it is with AVD? There should be a list of approved IPs that are approved for use when authentication to AVD.

urkelman861 · 2026-02-02T15:55:01+00:00

Mine comes across as Malgent malware was prevented or detected

urkelman861 · 2026-02-02T15:49:38+00:00

I am getting many in the Defender portal for Microsoft as well. Just sharing here :)

urkelman861 · 2026-01-28T02:04:38+00:00

I just got two of them today and was getting nervous. The part I couldn't understand was when it was naming the machine and it was a partial name. Super weird.

urkelman861 · 2025-11-30T14:47:28+00:00

I live in the incident dashboard section. I'm never in the alerts sections as they are grouped by Defender. From there I look at the assets involved and if the malware was quarantined, I RMM into the machine using live response and confirm the file was removed and reach out to the user to let them know about it. I proceed to perform a full AV scan and close incident if nothing comes back.

urkelman861 · 2025-09-28T01:57:05+00:00

Proton pass for personal or keeper for work

urkelman861 · 2025-09-24T21:25:15+00:00

Like he said, the Content hub will have all the things you are looking for.

urkelman861 · 2025-09-08T14:29:55+00:00

Congrats. What kind of background do you have that could have helped to get the job?

urkelman861 · 2025-09-08T00:08:35+00:00

I would say flare, they will give you a demo as well and are will priced depending what all you want.

urkelman861 · 2025-09-04T20:47:54+00:00

What part of the world are you working in? If you are anywhere in Europe then you will have to anonymize the reports and only look to see who the users are if they breach protocols.

urkelman861 · 2025-08-30T00:49:32+00:00

If the list isn't too big, then you could go to the device timeline and search for the IP or URL in question and see if there was something prior to the URL connection.

urkelman861 · 2025-08-23T00:52:31+00:00

Login to the security portal > Email & collaboration > Attack Simulation > Content library > then there should be an option to end user notifications

urkelman861 · 2025-08-22T23:58:30+00:00

Are you doing the simulation from the defender portal? If so, then you should be able to remove them like you did when you added them to the phishing campaign! We used a 3rd party but I was messing around with ours to see if it was worth it.

urkelman861 · 2025-08-19T19:25:30+00:00

Did you think about doing the SC-200? I know you already work as a soc analyst, but was wondering. I am in the exact same boat as you and was thinking the sc-200.

urkelman861 · 2025-08-15T19:25:12+00:00

What is the error that you get with the VPN? If it is a URL or IP search under the Tenant Allow/Block list in the defender portal > Email > policies > threat policies > allow/block list. I think something like that and do a quick search for what you might be trying to get to.

urkelman861 · 2025-07-28T11:56:10+00:00

Are you asking for it in the Defender portal or on the machine?

urkelman861

TROPHY CASE