SecurityAura

icon indicating a website link https://x.com/SecurityAura

icon location Digital Forensics, Incident Response, Threat Hunting & Detection Engineering @SecurityAura

Results 6 comments of SecurityAura

Linux Telemetry Section

Suggestion: NetworkListen. When a process is listening on a network port. I'm guessing here that NetworkConnect would cover both outbound (host to remote) and inbound (remote to host). If not,...

Removal of non-RMM tools: What is a RMM?

Sorry for the late reply, busy week! 😂 I see that @nasbench already did a huge PR to remove most of the tools I had identified. I'll give it a...

Removal of non-RMM tools: What is a RMM?

Below is a first pass I did. However, I think it would be better to merge @nasbench pull first because it seems like his PR is removing a few of...

Removal of non-RMM tools: What is a RMM?

Just checking in to see if there's any plan to go ahead with Nas merge to remove the non-RMM tools he flagged and then I can clean up the list...

Removal of non-RMM tools: What is a RMM?

All good no worries! I agree that there should be a distinction between RAT (Remote Access Tools) and RMM (Remote Monitoring and Management Tools). I would still maintain that a...

add NDR metadata on the endpoint (MDE only!)

Providing additional context around this: The telemetry should be enabled by default AFAIK. The events are part of the DeviceNetworkEvents table. https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/new-network-based-detections-and-improved-device-discovery-using-zeek/3682111 https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/enrich-your-advanced-hunting-experience-using-network-layer-signals-from-zeek/3794693 ActionTypes are listed in the 2nd URL....