This post has been de-listed
It is no longer included in search results and normal feeds (front page, hot posts, subreddit posts, etc). It remains visible only via the author's post history.
I've worked at multiple places and often times when there is suspicious activities e.g. a user was found download from multiple s3 buckets (which is more security intelligence) vs a user was found downloading pentest tools (more malicious), the SOC team just confirms it via email or teams/slack etc. is this enough? If I had compromise then user, i would just fake these messages. Ofc if the attacker could only access s3, these confirmation would help, but email/teams validation seems like it's not enough.
My question is when is it not enough, some examples would be great, and general thoughts.
Edit: tickets are raised, the question is more on confirming the activities by the user
Subreddit
Post Details
- Posted
- 4 months ago
- Reddit URL
- View post on reddit.com
- External URL
- reddit.com/r/AskNetsec/c...