This SOAR EDR project was incredible! Following along and learning from your detailed explanations was so valuable and fun! Your insights into integrating and automating security operations have been incredibly enlightening. Thanks for sharing your expertise! I look forward to the next Awesome project that you present.
This tutorial was truly amazing. Learnt a lot and followed the steps as per your instruction. Didn't run into any errors. You are amazing mate. Keep up the great work. One day I hope to sign up for your course to thank you and check your other projects out. :)
For anyone wondering how to include the user prompt in the slack and or email: The way I found was to generate a dynamic link which can be included in either slack or email messages as a variable "PAGE.page_name", so in this case it would be "PAGE.user_prompt". Make sure that the page is downstream of the slack and email blocks, i.e. slack and email blocks connect downward to the page, just like in MyDFIR's example.
Thank you for this priceless project Steven. From the intro to the end, it's fire. I will recommend this to others who are interested. God bless you my friend.
Much appreciated! The goal is to help those wanting to get practical experience and build up their portfolio. By you helping me share the content around, it would definitely help towards my goal.
Hey steven, How can I integrate this directly to my web page which asks user prompt to isolate the machine or not? And then based on my response the action can be performed?
thank you very much for walking through this project, it has been a really great learning experience, I have a question, I used a VM instead of a cloud server for the endpoint and found that there were two instances installed with sensors and the isolation was stuck in waiting status, can you please explain if this is the expected behavior when using a VM as the endpoint?
Hello Maestro, based on your experience working with organizations, how much time do you spend working with these tools and how many alerts/rules are you guys making per day? also, do you use mitre att&ck to generate those rules?
It depends on the organization and how “mature” they are. We wouldn’t be making new alerts everyday instead it would be tuning existing ones and yes the mitre attack is a good guideline to follow but the goal isn’t to detect every single technique.
The project is very clear and intuitive. Thank you so much. I have a small suggestion, would that be easy if we send the link to isolate the machine to email and directly isolate the machine by clicking that link?
Yeah, the roadmap PDF contains links and resources where the video does not. You can watch the video for free and use that as a guide. No need to purchase the roadmap, unless you want to buy me a coffee haha 😁
Hey! steven, I've one question related to this Lazagne app. We created the rule and automation for this LaZagne app but what if any other app similar to this is run on the machine, This automation will work and show us the user prompt to isolate the machine or we have to configure the hashes and all those things manually first?
Can you please do Wazuh multi-site implementation that helps organizations unify their security monitoring capabilities across multiple geographically dispersed locations or sites with single dashboard tutorial?
Sounds like a professional service job haha multi-tenancy might be a bit difficult due to the nature of being multi-tenancy. But something ill think about
So, how do we get it to go through all of the steps in tines without manually doing it. Like after its set up if you go run the lazagne program, is it suppose to automatically send you a message and an email and ask you to isolate?
Once all the steps are completed it should work automatically. Tines will send a slack message and email providing you with the alert information. Afterwards, you’ll go into tines and isolate if you choose to do so.
@@MyDFIR So I'm not sure what happened, but I looked back through my documentation and remembered where I connected LimaCharlie to Tines. I recopied the webhook url and put it in LimaCharlie again and now its working properly! When I run the command on my vm it sends me a message in slack and an email!
Hello, i have installed lima Charlie in my Another laptop and i have set a rule . When the process is running how can we SEND THE USER PROMPT to them for choosing yes or no
@@MyDFIR sir i really tried my best to find how to send the user prompt to user to choose yes or no but still i cant find the way to send the prompt pls help me sir 😢😢🥲🥲
kindly provide DFIR course related videos . i am into grc and now trying to switch digital forensics & incident response . kindly assist how to start and proceed🎉
Nope, truth be told, I couldn't find the option to send that as an email. If you find out how, let me know! The user prompt page is there to have the user select if they want to isolate or not as most of the time we never want to isolate automatically. You could probably change this to be sent to slack/email with a yes or no option as well but I'll leave that you/other curious individuals who want to learn more!
BTW, idk if you know but a channel called Cynik post a video pretty much copying this with no credit to you! Idk how this works as far as stealing content, but he made his own video doing everything you did but calling it his own. I didn't see credit to you anywhere.