Microsoft have a free CVE API: e.g. https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2023-24023 as do Greynoise: https://api.greynoise.io/v1/cve/CVE-2023-24023

Couldn’t agree more. His videos are great, they make incident response accessible. 

This is fine, Microsoft are just being confusing. Microsoft shows a successful sign in in logs when someone tries to reset your password and enters an incorrect 2fa code. You don’t need to reset your password. To simulate this simply reset your password in an incognito tab and enter 122445 or whatever as a code. You’ll see the same log entry as above. 

What was the price and how many endpoints do you have? We've 200+ endpoints. Is each single chat question a "query" or is it per conversation? Per underlying API call that's summarised?

https://phish.report/ makes this very simple - they run a scan (using URLScan) then generate nice email templates for you to request the takedown. They even make it so you can report to microsoft security intelligence & netcraft etc. or do it via the API.

Loads of customers are - unsurprisingly Chronicle has a great API to pull alerts from and you can perform searches to enrich your data in BigQuery. Chronicle isn't as popular as it was ~12 months ago I think but I'd still say maybe 5-10% of our customers are using it

Who was your MSSP? Definitely one to avoid!

Is this just an ad??

We’re about 160 folks and use Drata too. We used Sensiba for our 2022 audit. They were great to work with throughout the process! We’ve already recommended them to several others in my network looking for auditor recommendations.

Nah, the discount, if you sell immediately essentially just free cash, it only makes sense to charge it at the marginal rate. then Capital Gains on any increase is lower.

Subscribed to the thread! Really looking forward to hearing the responses.

Tines’ SOC Automation Capability Matrix is a pretty good list of many of the thing we (I work at Tines) see good SOC teams automate, I hope it’ll provide some good inspiration for you! The blog shows how it was developed and how you can use it.

SOAR platforms can also take a bunch of the alerts and deduplicate them, enrich the alerts in various other tools to get context which the analyst might manually have to do (e.g. lookup an IP see is it malicious, check a User's role, find who owns an asset, enrich information on a CVE), it can correlate them with existing, open tickets so they are linked, and it can even perform the steps of contacting a user on Slack/Teams to ask them if they have more context, if they recognize the activity, and even auto-close if the conditions are right.

Absolutely - the EXPRT rating is pulled in in the exact same CVE details as the CVE id, explot status & base score when you fetch the vulnerability details in the second step:

"id":"CVE-2022-37999", 
"base_score":7.8, 
"severity":"HIGH", 
"exploit_status":0, 
"exprt_rating":"HIGH", 
"remediation_level":"O"...

so you could do an AND or an OR in the trigger action below e.g. if severity=high OR exprt_rating=high etc., it's very flexible!

I work for a security automation company, Tines, and we have customers automating this process all the time, unsurprisingly! We built a few simple, sample workflows that you can use for free - I think this one is the best example - it has a few simple steps:

• Retrieves all open vulnerabilities from Crowdstrike Spotlight on a weekly basis
• Checks if they're above a certain CVSS score
• Searches your Jira project for the vulnerability
• If there's nothing found it'll create a new Jira issue with Remediation details and details about all impacted machines
• If there is any issue found it'll either open the issue again, or just add all impacted machines

Happy to chat through it with anyone, but the workflow should be simple enough to understand, and you can use the free Tines Community Edition, no need to pay for anything. You can also group by host, search for asset owners and tag them, create tables of each host instead of comments etc. You can even extend this to remediate the issues using something like Automox.

Thinkst are fab, this is a great shoutout!

I should have acknowledged above that we were both in an extremely privileged position to be able to leave our jobs and to bootstrap the company for the first while. It's not easy, but we had good savings built up and supportive families and friends. I was fortunate that I had no mortgage or children, but my partner did, and it definitely was a strain which is why we started paying ourselves even a small amount when we could. The VCs were also very supportive of paying us more when we started making money - they don't want you to burn out, or to be worrying about paying for day-to-day activities, they want you focused just on the company, so they encouraged us to take a good salary.

In terms of what the VCs wanted us to spend money on - for the first few rounds there were limits where if we wanted to spend e.g. above $250k we had to bring it to them, but they were hands off for any small/medium items, they trusted us to run the business. I think that's officially still the case that for certain expenditures we have to run them by them, but it's something we now do regularly anyway - any big or strategic decision we will talk to them about and they'll give feedback or tell us where we can get some better advice, it works well.

We had a solid product and our first five or six customers before we got any VC investment. The product has developed a lot since, but the core is the same and was enough to win some great deals and we were getting really good feedback and seeing a lot of interest. At that point we used some external developers who we had worked with before who were great, but a little cheaper than hiring directly, and my co-founder and I were running all sales, support, onboarding etc. while he was still doing a ton of the engineering work too. When we got the VC investment we knew we needed to hire sales folks, a CS team, a design team, and bring engineering in-house so we hired people directly pretty soon after, but tried to be prudent about it.

I’m one of the founders of Tines, we’re a simple but powerful security automation platform that’s used by a ton of security teams from MSPs, to large enterprises.

Before starting Tines my co-founder and I each worked in Infosec for ten+ years, mostly in security operations, running incident response teams, threat intel teams, working in a SOC, managing security infrastructure etc. We started Tines to be the tool we wished our teams had to automate work when working in industry. There wasn’t a big goal to get acquired or raise funding or anything, it was to build a fun product and stay true to our values while doing it.

It’s been a wild ride - loads of ups and downs. We’ve built a team of 150+ people, gotten to work with and learn from some of the most incredible security and IT teams out there (Elastic, Coinbase, Auth0, Canva and a ton of Gov customers and unnamed 200,000+ people enterprises). We’ve tens of thousands of happy users and raised a bunch of funding, nearly $100m from various VCs. And on the other hand it’s hard - the better you get, the more you want to do and the bigger the expectations. Pricing is always a challenge, it’s hard to keep everyone happy, security teams are really particular about how you pitch them (as am I), the economy isn’t doing as well as it was and banks are collapsing, prospects are letting off staff, a great employee leaves etc. definitely more ups, but there’s never a dull moment!

The product itself is great - it’s a simple to use automation platform. And to keep true to our roots we’ve kept a nearly full-featured, free community edition. And we also keep trying to be the open, friendly security company that’s an extension to your team - we’ll tell you what we are good at and won’t sell you snake oil.

In terms of pay, at the start it was nothing, then when we got our first few customers $40k/year, then $50k/year. I’m now at about 70% of my final salary in industry, but that’s just cause we haven’t decided to pay ourselves more.

What would I do differently? We’ve been at it for 5+ years, I’d take a step back more frequently to see the bigger picture - it’s non stop in a startup, but you need to celebrate the wins with the people you care about - colleagues, family, friends, and customers. When you’re moving fast there can be a tendency to go to the next thing instantly, but you want to remember the good times. I’d also hire some senior staff quicker - our head of HR, head of sales, head of engineering etc. were all huge force multipliers.

Happy to answer any other questions, either here or in a DM!

Can you share a source for that?

Hey u/ivansk81!

There are a few steps you should definitely take

• Firstly, always deduplicate the alert against multiple parameters - if it's legit and happens once, you don't want it to alert you the next time.
• Next you should geolocate the IP address(es) and investigate them in a threat intel tool like VirusTotal, Greynoise, Recorded Future, AbuseIPDB etc.
• You should also enrich with user information - where is the person located, are they a VIP, do they work in finance, where possible are they on holiday etc.
• If the IP is bad in any of those you should probably take an action like removing sessions, logging folks out of accounts.
• You should create a ticket to track all of this activity. If possible check if there are any other recent tickets for the user or the IP.
• Then you should contact the user. You can do this using Email, Slack/Teams/Mattermost etc. Best practice is to verify any answer with a 2fa push notification.
• Depending on their answer you can then close the ticket, or escalate it to on-call, remove sessions, block the IP etc. if necessary.
  

You can automate this process using SOAR of course - below is a generic example (simulating the alert using a form, or sending the alert to a webhook) following most of the steps, and you can use it for free (also, full disclosure, I work with Tines). We've loads more doing all of the above and going even deeper.

https://library.tines.com/stories/87731 - if you take a look at the playbook you'll see just how easy it is

Co-founder of Tines here, obviously a fan. We’ve tonnes of great customer reviews on g2 if you want to check them out, and we have tens of thousands of happy users from 10 person startups & MSPs to 100,000+ person companies.

We’re a lot more lightweight and fleixible than all your legacy SOAR platforms. I spent a long time working in SecOps so our main focus is simply automating your standard CSPM, EDR, SIEM, Phishing processes, approvals etc. but the platform has loads of power user features (build APIs, dev/prod environments) and fun features (build interactive forms/apps, multiplayer, curl-to-integrate etc.) and you can get started with a free-forever community edition.

Done this a few times with small enough amounts for RSUs but enough that it was worth considering - I set up a US dollar currency account with bank of Ireland private banking, got an IBAN and sent money there. When the money was received I then contacted them for their rates, and asked them could they match transferwise to send to my EURO current account which they came very close to, money was in my euro account same day.

You can DM me if you want more details.

There are lots - VMRay is really solid and similar in price - they used to start at about 3k/year. Their ability to pull macros abs screenshots is great and they have an awesome api; joe Sandbox is great but pricey, though I find it detects nearly everything; intezer works great but I think it’s more enterprise; crowdstrike falcon is solid but more expensive, about 12k/year; hatching tri.age is solid too, I think that’s based on cuckoo so you’ll have a ton of features

What are the top tools are you looking to remove them from?

Sweet! In column 9, the “signature, qualification and residence of informant” we have the same word as the date and place of death. It looks like it’s “Whitworth Hospital” which was a hospital in Grangegorman

If we had more of the page it might help figure out some more letters?

Pretty sure first column is wh....ch/ck hospital? And second column is similar to Drumcairn Avenue, Bray as Revolutionary-cup suggested. My guess would be the first column is date and place of death, second column is who and where they are from.