u/Cant_Think_Name12 — reddlx

'Teams Sender' Missing from TABL - Occasionally

Hi All,

I have been trying to block teams senders within XDR > TABL. The issue is that sometimes the option for 'Teams Senders' is there, and other times it is not. I confirmed with Microsoft that my tenant is configured correctly. Is anyone else experiencing the same issue?

The issue seems to arise if I don't fully sign out of XDR fully, then sign back in (that sometimes fixes it, not always). If I reuse a session from yesterday, then, Defender removes 'Teams Sender' and other settings until i fully log out.

Note: The setting (Teams Senders) seems to disappear shortly after logging in from a fresh session, and wont persist for my full session.

I have had a ticket in for 6 months about this now, and there has been ZERO movement on fixing it. Yet again, signing out and in only sometimes fixes it. We keep getting slammed by Fake Teams senders and cannot block them since the option is missing.

What it should look like:

https://preview.redd.it/vhjsq44h8h2h1.png?width=859&format=png&auto=webp&s=af60592b9a944296d16757eb31d6694786fe3ec6

What it looks like 99% of the time (Note the missing last option)

https://preview.redd.it/myssb8fj8h2h1.png?width=829&format=png&auto=webp&s=1efa56c00986e78dfc671614b8b52dd0e7123d91

My question - has anyone else experienced this? If not, can anyone tell me if you freshly sign in to Defender every day, or if you reuse your session from yesterday? Would also appreciate it if maybe you could reuse an old session and check for me if the setting is missing.

reddit.com

u/Cant_Think_Name12 — 2 days ago

▲ 36 r/cybersecurity

How to Transfer files Safely from a Compromised (work) Device

Hi All,

I was hoping to get some feedback from everyone here on how to handle a compromised device we have at work. Long story short, malware ran and we need to retrieve files from the device (work ones) but aren't sure the best way to go about it.

We use Defender and I was thinking we could use live response while the device is in an isolated state, however, I dont know (yet) how many files the user needs from the device. If theres a handful, it will be quick. If it's a lot, it would take a long time.

My only other thought is to pull the drive, connect it to a fresh, off-domain computer, apply a write-block, then pull the required files onto a USB, then move those to the new (user) device.

My questions -

What method would be recommended of the two?
Is there a better method? If so, what would you suggest
How can i confirm the file(s) are clean once retrieved. (my biggest concern)

Any feedback would be great - thanks!

Edit:

The files are critical, yes we tell users to not save files locally and to use onedrive
What was ran: Help-Desk Lures Drop KongTuke's Evolved ModeloRAT (it didnt fully run, i isolated within 2 minutes of the commands being ran)

u/Cant_Think_Name12 — 9 days ago

▲ 4 r/GIAC

GCFE - How similar to the Exam are the Book Quizzes

As the title implies, how similar to the exam are the book quizzes? I know the best way to judge your index is based on the practice tests, but, so far my index has been working pretty well for the book quizzes. Are the exam (multiple choice questions) similar to the quizzes?

reddit.com

u/Cant_Think_Name12 — 14 days ago