Exposure Management Dashboard/Report for Workstations Vulnerabilities

Hello all,

I am getting into the Exposure Management feature set and starting to review what our environment looks like. There is some product cross over with another platform we have so I was looking for a similar feature in maybe a report or a dashboard relating to workstations. I can't seem to find anything off hand right now.

Is there a report or a dashboard that shows workstations and related vulnerabilities by some sort of criticality rating (CVSS or ExPRT)? I am looking to get a prioritized list of workstation remediations that we should address. I believe ExPRT is probably the best metric. When I dive into the vulnerability dashboards a lot of them list the vulnerability, but it seems difficult to tie the vulnerabilities back to an actual host/system.

I could be just being dumb though. I might be staring at the solution in exposure management but overlooking it.

reddit.com
u/Khue — 5 days ago

Invoke-RestMethod: Problem with Body Variable Format

I am trying to convert a curl command to PoSh's Invoke-RestMethod. I typically don't have a problem with this but today, I seem to be having an issue. Curl command looks like this:

 curl https://api.domain.com/stuff/thing/items \
   -H "Authorization: Bearer $TOKEN" \
   -H "Content-Type: application/json" \
   -d '[
     { "key1": "value1", "key2": "value2" },
     { "key1": "value3", "key2": "value4" }
   ]'

To start off and make things easy, I was simply trying to do a single json entry.

$body = @"
{
    "key1": "value1",
    "key2": "value2"
}
"@ | convertto-json

Using that format I then passed it into invoke-restmethod:

Invoke-RestMethod -Uri "https://api.domain.com/stuff/thing/items" -Method post -Headers $headers -body $body

Which then spit back:

Invoke-RestMethod:                                                                                                      
{
  "result": null,
  "success": false,
  "errors": [
    {
       "code": 10026,
       "message": "filters.api.invalid_json"
    }
  ],
  "messages": []
}

I tried a few different versions of this as well without too much luck. This is the first time I've had to submit an actual key value combination to this particular API using JSON. The only other body format example I have for this particular vendor's APIs in JSON format is this:

$body = @{
    value = @(
        "value1",
        "value2",
        "value3",
        "value4"
    )
} | ConvertTo-Json

This particular endpoint didn't require a key value pair. It only required a list of strings.

Update:

Credit to /u/y_Sensei . What ended up working was this:

Single key value pair:

$body = @'
[
  {
    "key1": "value1",
    "key2": "value2"
  }
]
'@

Multi key value pair:

 $body = @'
 [
   {
     "key1": "value1",
     "key2": "value2"
   },
   {
     "key1: "value3",
     "key2: "value4"
   }
 ]
 '@

Thank you to all contributors! I appreciate it!

reddit.com
u/Khue — 5 days ago
▲ 7 r/github

Enterprise Access Restrictions and GitHub EMU

Hey all,

Security engineer here. I am currently going back and forth with support and I guess I am super confused about a feature in GitHub and leveraging GitHub Enterprise Managed Users. This is the article I am referencing.

I have a concern that there is a data egress issue with GitHub in my organization. Under my GitHub Enterprise tenant, I leverage SSO for access to GitHub for my local developers. I can add and remove these users at will and grant them access to various repos. I have a concern, that a given user in my environment could have a personal GitHub account and that user could login to their personal GitHub account and upload company data (data egress concern; IP leaking). I stated this issue in another sub, and they pointed me in the direction of the linked article and my first time through reading it, it seemed like it would address the issue. As I went through the steps configuring my corporate proxy and getting with someone in my organization with Enterprise Owner rights over the GitHub Enterprise Account with the Enterprise Managed Users, we both came to the conclusion that the option mentioned in step 4 in the "Enabling access restriction" doesn't appear to exist:

> In the "Enterprise access restrictions" section, select Enable enterprise access restrictions

I went ahead and opened a ticket with GitHub support, and after a few back and forths, the support team told us:

> With enterprises enabled for data residency the feature is not available as those enterprises have a reliance on ghe.com and not github.com, so therefore you can instead block github.com entirely.

We had a few more back and forths, but the support agent continues to harp on the fact that I need to block bits and pieces of github.com, like signup pages, in order to get my desired outcome. Furthermore, in the documentation, the only bit about data residency that I see is this:

> If you use GitHub Enterprise Cloud with data residency, your enterprise resides on a dedicated subdomain of GHE.com, so the header is not required to differentiate traffic to your enterprise's resources.

My interpretation of this is that for all other GitHub domains you need to use the header to protect the traffic, but when your users attempt to access ghe.com base domains, the header is not required because you don't care to block them from that base domain. They have accounts with the tenant so when they navigate to companycustomdomain.ghe.com you don't care about looking at the header because if they didn't have an account in the tenant they wouldn't be able to login anyway.

Questions:

  1. Has anyone else had experience with this feature?
  2. If so am I missing the point of the feature?
  3. Is my data egress concern with personal GitHub accounts valid or am I missunderstanding GitHub?
u/Khue — 25 days ago
▲ 5 r/AZURE

Restoring From Backup Vault: Storage Requirement

I am attempting to test some of my backups from my backup vault and it looks like I need a storage account in the same location. I was going to stand up a storage account but the only requirement I see, is that blob storage is NOT supported. Is a simple "file" storage account type with LRS with standard performance okay? I am looking at this page: https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms

Seems to not be very specific. Thanks in advance.

u/Khue — 1 month ago

Sandbox Email Correspondence and Exchange

Hey all,

Newer to Hubspot. We have a sandbox setup for testing and learning the platform and we seem to be having an issue with email setup. We have a shared email account for our customer service group in Exchange 365 and we've run through the setup process for the account in HubSpot. We can send emails into hubspot using the account, but for some reason, we do not seem to be able to respond to correspondence back to the email box from within Hubspot sandbox.

We've attached to the exchange 365 account using different methods/mechanisms (PowerShell/other exchange clients/etc) and we don't seem to be having an issue sending and receiving on the account itself.

Is there some sort of limitation of sending emails from a sandbox account to an external email address?

Update: See /u/TrainingPuzzled3944 for explanation. Sandbox accounts have limitations.

reddit.com
u/Khue — 1 month ago

Potential CloudApp Control Circumvention?

Hey all,

We've been leveraging CloudApp controls for quite some time. They seemingly work pretty well. An example of where we have successfully applied CloudApp controls to meet business needs is for web based mail clients, we allow users to read emails and send emails, but we do not allow them to upload content and attach files to outbound emails. For the past four years or so, this has worked pretty well.

Yesterday, I noticed a potential loop/gap in CloudApp control. I have an application that I typically use for communications and I've never been able to attach/upload files to send. While I was messing around with it, I noticed that they recently changed one of the input fields to allow files to be copy/pasted from the clipboard. So instead of clicking the upload/attach button, you can just simply paste directly into the input field. My expectation was that with CloudApp control, this would be denied but it wasn't. I did a full end to end test and it appears like when you copy/paste into the field you can pretty much upload anything you want. To confirm, I leveraged the attach/upload button and that was denied as expected.

Has anyone else run into this? Am I missing something here? I have a concern now that if this type of input field exists elsewhere, this could be a major hole if CloudApp control is not able to block this.

Looking for suggestions/thoughts about this. Thanks in advance.

reddit.com
u/Khue — 1 month ago
▲ 1 r/AZURE

Management Group IAM Inheritance

Hey all,

I am trying to troubleshoot some IAM inheritance issues in our tenant and I think I've tracked down most of the redundancies. When we first setup the tenant I believe we didn't realize that there was an inheritance mechanism so instead of just letting that exist, we ended up putting certain principles on each nested management group level. This created a hot mess when you eventually got down to an individual Azure Resource.

I've done most of the documentation legwork but there is still one mechanic that isn't quite clear to me. On our tenant root group, our primary owner is listed as both the owner on the "Tenant Root Group", but also as owner on "Root (Inherited)". Two questions:

  1. Where is the configuration for "Root (Inherited)" managed? There is currently nothing in the tree above Tenant Root Group.
  2. It seems redundant for an identity to be both owner at the "Root (Inherited)" level and at the "Tenant Root Group" level. Could I ostensibly remove the identity from the "Tenant Root Group" level and still have the identity gain ownership throughout the rest of the Management Group tree structure from the "Root (Inherited)" scope?

I understand that this is probably not best practice as far as dealing with the "owner" role, but the first step for me is to just clean up things to begin.

reddit.com
u/Khue — 1 month ago
▲ 7 r/Intune

Intune Endpoint Security Baseline for Windows 10/11

Hey all,

I just noticed that my Windows 10/11 based secure baselines are still leveraging the old version prior to 23H2. I went ahead and created a new baseline as indicated by instructions and when I did it put out a 25H2 version. Obviously, I will need to reconcile any custom configurations I had in the old version with the new 25H2 version. I had the following questions:

  • Is the default out of the box version of the secure baseline considered to be the "best practice" version?
  • Is there some documentation somewhere that goes into detailed information about the out of the box configuration that gets applied when you create this baseline? Ideally, it would be cool to see explanation of the settings and compliance with something like NIST SP 800-53 rev5.
reddit.com
u/Khue — 1 month ago

Having Difficulties Adding Detections to Cases

Hey all,

Still learning the ins and outs of the Falcon platform. I've been grouping like detections into cases recently as a way of organizing and keeping everything central for tracking. I logged in today and went along my little process I've been using and I noticed today, I haven't been able to add detections to a case. I've tried to group add and I've also tried to add one at a time but no luck.

Is there a timing thing I haven't noticed before? Does this sometimes happen? Are there certain detection types I cannot link/associate to a case?

reddit.com
u/Khue — 2 months ago

Spreadsheet for MCSBv2

Hey all,

My GoogleFu seems to be failing me. I am looking for the MCSBv2 (Microsoft Cloud Security Baseline) in spreadsheet format. I found a bunch of v1s but they don't seem to have the baseline information for DevOps and AI. I might be failing to find it because it's still in preview mode.

Anyone have better luck than me?

u/Khue — 2 months ago

Hey all, long time lurker, first time caller. I just recently went through a bunch of updates on my G9. Firmware and base OS both did about 30 minutes of updates. After the updates everything seemed okay. The nice part is that the OS navigation seemed to get peppier so switching between HDMI and DP wasn't such a painful undertaking.

Recently, like as of today, I noticed that a section of the panel has started doing what I can only describe as a "bounce" behavior where the area from about midway through the panel to about 12 inches to the right moves up about a pixel and then back into position every 5-6 seconds or so.

I've only just recently noticed this on my work laptop's HDMI connection. Has anyone else seen this? What should be my level of concern here? Is the panel on it's way out possibly?

reddit.com
u/Khue — 2 months ago

Quote Text Block Gone

I noticed this a few weeks ago, but it's getting annoying now. At some point the quote text block was removed from Outlook when writing correspondences. Is this something broken with my Outlook specifically? Is there a way to get it back? I leverage it a lot.

Resolved:

Credit to /u/traccreations4e . Solution:

In New Outlook, to insert Quote Style in the body of an email, it is under:

  1. Format Text
  2. Click on the Styles Icon (A and pencil)
  3. Choose Quote
reddit.com
u/Khue — 2 months ago
▲ 1 r/vscode

We've started investigating GitHub for Copilot and there are some attractive features within it that we would like to take advantage of. This would involve us migrating our repos out of Azure DevOps Repos and into GitHub.

When a developer goes to use VSCode, is there a way of preventing them from accessing accounts other than their current enterprise account for our organization? I might be thinking about this incorrectly/overthinking it but in my mind, there seems like there could possibly be a data egress issue if the developer pulls code from our GitHub repo, logs out of their business account, logs in with their personal account, and then pushes the code back to a personal GitHub account.

Full disclosure: I am a sec guy so I am not even quite sure if this is even a valid data egress narrative. Is this even a valid concern? Should I be worried about data egress of our internal business IP to a personal account in GitHub?

Thank in advance for any thoughts about this.

reddit.com
u/Khue — 2 months ago

I've been poking around for the last 30 minutes but I haven't been able to find anything (my GoogleFu is failing). Is there a Zscaler resource that defines Cloud Apps? I am specifically trying to find the definitions behind the following Cloud Apps:

  • Copilot
  • Microsoft Copilot
  • Microsoft Copilot Studio
  • GitHub Copilot

I think I understand the differentiation between GitHub Copilot and the others, but I am not sure about the differences between the three non GitHub designated Copilot versions.

Is there a Zscaler resource that breaks this down more granularly?

reddit.com
u/Khue — 2 months ago