another cool thing is to reverse-DNS the source IP during message ingest and add the hostname as a new field so you can reference it months later
-
-
-
If I’m thinking this through correctly, it is just a matter setting up the lookup table/data adapter, and then adding the pipeline rule?
- Još 2 druga odgovora
Novi razgovor -
-
-
I’ve noticed that my endpoints query their own DNS in their Sysmon logs, could be useful backup ID method for people without network gear access
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Set the lease time as long as you can and this is less of a problem!
-
No, don't really do that.
It will lead to constantly exhausting the DHCP scope. - Još 5 drugih odgovora
Novi razgovor -
-
-
Yep. Yep. And, Yep. I'll give it to Chronicle Backstory. Decent price and they auto-correlate DHCP. Doing that shit manually sucks, esp with short lease times.
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Printing this out, laminating, and will throw it at every client.pic.twitter.com/pCLhk48PdJ
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
One issue (at least the last time I investigated DHCP) was that there was no common log formatting, location, configuration, etc., and many devices didn't generate any logs whatsoever.
-
Lack or inconsistencies of logs is one gripe of mine wrt endpoint/device detection. We can (and I often have) shown the great analysis that can be done on endpoints, but for a variety of reasons the go to market strategy is a nightmare. From ~10 years agohttps://www.youtube.com/watch?v=BZXOHJ_xRac&feature=emb_logo …
Kraj razgovora
Novi razgovor -
-
-
Do you have your domain controller logs? We use authentication logs from them to correlate IP to a hostname.
-
U can use any basic SIEM to ingest dhcp, and auth/radius logs from your DC. Syslog auth traffic is also handy from your non windows gear. Dns traffic is a little trickier. An EDR is super handy for dns traffic coming off your endpoints.
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.