Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
Hi Everyone.
I'm trying to write a guide for our analysts on how to perform threat validation when receiving Malicious Activity Detection alerts.
I have a filter set up in AMP that emails the groups when certain events are observed. Specifically we...
First off a nod to ChiefSec-SF & Orlith for their contributions.Objective: Use PowerShell to create a new Event Stream. Define Authentication Credentials$Credentials = GET-CREDENTIAL –Credential (Get-Credential)
$RESTAPIUser = $Credentials.UserName
$...
Ping on this topic. I'm also looking for a way to use command parameter content to form an exclusion. In my case the offending command is:C:\WINDOWS\system32\cmd.exe /d /c C:\Program Files (x86)\ThousandEyes\Endpoint Agent\te-chromehelper.exe chrome-...
Just resurrecting this old thread rather than start a new un-linked one.I ran into the same issue again today.So the Detection text wasn't all that useful and trying to research it using Google was a non-starter as well.I ran file analysis on it and ...
This is helpful. However, I use QRadar with their provided DSM for AMP and that's been crippled since this update. I've followed the instructions in creating a new Event Stream and that still fails. QRadar DSM Error messageI'd welcome the opportunity...
Thanks for your response Thomas. It was well described and considered. I'll still hold out a wish that 'someone' will document or provide description that supports the nomenclature of the signatures a little bit more verbosely than the one on Talos.
So, just as an update... Without adding the other Group GUIDs to the connection, I am still seeing events from ALL of the groups we currently have in out AMP deployment. Which then leads me to presuppose that the initial GUID value in the request was...
