Good illustration of making automation rules. Side note and this is probably obvious for most folks, in this particular example the right way to do things would have been to create the analytic rule to already ignore the office space IP range so as not to waste time and money creating additional automation rule to suppress the resulting false positives.
Great content. I followed it step wise for MFA related Incidents. It failed me on 3rd step with error : ExpressionEvaluationFailed. The execution of template action 'For_each' failed: the result of the evaluation of 'foreach' expression '@triggerBody()?['object']?['properties']?['Alerts']' is of type 'Null'. The result must be a valid array. Am I missing something here?
Good illustration of making automation rules. Side note and this is probably obvious for most folks, in this particular example the right way to do things would have been to create the analytic rule to already ignore the office space IP range so as not to waste time and money creating additional automation rule to suppress the resulting false positives.
Do Soc analyst L1 will do this in office!
Not sure, Its Depends Usually L2 and L3. Thanks!
what is authpriv? failed login attempts in authpriv, Is it like a table of logs?
unix.stackexchange.com/questions/59525/difference-between-authpriv-and-auth
Great content. I followed it step wise for MFA related Incidents. It failed me on 3rd step with error :
ExpressionEvaluationFailed. The execution of template action 'For_each' failed: the result of the evaluation of 'foreach' expression '@triggerBody()?['object']?['properties']?['Alerts']' is of type 'Null'. The result must be a valid array. Am I missing something here?
Are data connector , , analytic rule playbook are interconnected?
Yes, In a way.