User Profile
GuyThreep
Copper Contributor
Joined Mar 16, 2021
User Widgets
Recent Discussions
False positive: Suspicious PowEmotet behavior was blocked
Based on social media posts, it seems quite a few of us are experiencing numerous false positive alerts related to 'PowEmotet'. While it's understandable that false positives happen it's also somewhat amazing this one made it through QA. But this also highlights some things that I find extremely frustrating about Defender for Endpoint. There does not seem to be a reliable way to deal with these at a tenant level, aside from setting status to "false positive" and potentially adding a file hash of a related executable to Indicators and hoping it goes away. Is there anything I'm missing here? Also, where is Microsoft acknowledging this issue? Where should I go for up to the minute updates on occurrences like this?6.6KViews7likes0CommentsRe: Sysmon worth using in addition to Defender ATP?
We do exactly this. There's certainly going to be significant overlap, but having a configuration that is able to be tuned to your needs (Sysmon) is incredibly useful. We've been doing testing of different attacker techniques and there are things you can log via Sysmon that won't show up in the ATP timeline (eg named pipes). And aside from that there's always the advantage of being able to access the data from a common interface with your other logs when sending to your SIEM.7.7KViews1like0Comments
Recent Blog Articles
No content to show