🔐 Goodbyes can harbor unforeseen risks, especially when departing employees possess crucial access and knowledge. Meet the "Lord Darths" of the corporate world—ex-employees with potent technical admin privileges, driven by motives to harm or exploit. Insider threats are real, and their impact can be substantial.

Consider the alarming history of insider threat cases; these individuals, armed with expertise and access, pose a considerable risk. Managing the employee lifecycle is pivotal and include everything from onboarding, retention, development, recognition, and exit. Our latest blog uncovers the critical stages of onboarding and exit - Check out the blog by Logpoint Security Analyst, Roshan Bhandari, on our website here or read key insights below:

Insights into Insider Threats

• Staggeringly, 74% of respondents to a survey feel moderate to extremely vulnerable to insider threats.

• The most critical impacts of insider attacks were loss of critical data ( 45% ), brand damage ( 43% ), and operational disruption or outage ( 41% )

• Insider threats can be costly, 59% of the insider threat motivation was monetary gains while 50% was reputation damage .

• The time to contain an insider threat incident increased from 77 days to 85 days , leading organizations to spend the most on containment .

Notable Insider Threat Incidents

• The FBI arrests 21-year-old Air Force guardsman in Pentagon leak case.

• A Yahoo lawsuit alleged an employee stole trade secrets upon receiving a Trade Desk job offer.

• Proofpoint alleged an ex-exec took trade secrets to abnormal security .

• A fired healthcare exec stalls critical PPE shipment for months .

• An Apple lawsuit says 'stealth' startup Rivos poached engineers to steal secrets .

Email has become an indispensable part of our lives, and the need for heightened cybersecurity awareness has never been more critical. Phishing attacks are among the most common and insidious threats to our online security.

Here are some eye-opening facts that underscore the extent of this global issue.

💰 Shockingly, cybercriminals invest significant sums daily, ranging from $200 to $1000, to orchestrate intricate phishing campaigns, underscoring the immense resources allocated to compromising your security.

🔐 Disturbingly, statistics reveal that over the past six months, users reported phishing attempts only 11.3% of the time. This alarming figure highlights the need for proactive measures against these threats, as a significant number of malicious attempts go unreported.

🚫 The good news is that tech giants like Google are at the forefront of the fight against phishing. They actively thwart around 100 million phishing emails daily, providing a robust defense against these nefarious attacks.

Protect your organization's integrity and safeguard your personal information by delving into our comprehensive guide on how to investigate and respond to email threats effectively 📩

Read the full article here: https://www.logpoint.com/en/blog/emerging-threat/email-investigation-and-response-using-logpoint/

Warning ! Detect, respond, and manage this active ransomware with Converegd SIEM, AgentX, and SOAR automation playbooks.

Emerging Threats Protection Report
Not Too Cozy: Cozy Bear

What you get:

• Introduction to Cozy Bear
• Free download report from our Security Research team.
• Playbooks: Automate your way to protecting against Cozy Bear.
• How can you leverage your Converged SIEM against Cozy Bear? Download the report.

Here is why this is important. Some Cozy Bear background info:

Fast Facts:

🔍 Aliases : The Dukes, APT-29, Cozy Bear, or Nobelium - whatever you call them, they're the same. We'll use these aliases interchangeably throughout the blog and report.

🌐 A Notorious Background : The Dukes, believed to be linked to Russia's Foreign Intelligence Service (SVR), are a formidable cyber espionage group. Their targets? Governments, NGOs, businesses, think tanks, and other high-profile entities through sophisticated spear-phishing campaigns.

🤺 Unconventional Tactics : The Dukes are known for their unconventional techniques, employing HTML Smuggling and malicious ISO images to deliver malware while slipping past security measures.

🇺🇸 Political Intrigue : APT-29 made headlines by targeting political entities, gaining notoriety for hacking the Democratic National Committee during the 2016 U.S. presidential election.

🌌 SolarWinds Shockwave : APT-29's most significant operation was its involvement in the 2020 SolarWinds supply-chain attack, which compromised multiple sectors of the U.S. government. This event showcased their capabilities and sophistication, making them a force to be reckoned with.

Knowledge is your shield in the ever-evolving world of cybersecurity. With Logpoint's expert analysis, you're not just informed; you're equipped to face the challenges of the digital age head-on.

Join us in the quest for cyber resilience. Dive into the report and fortify your defenses against APT29 and its aliases and read the full report below 🌐

Fast Facts

• With over 500 million users worldwide, WinRAR is the world’s most popular compression tool!

• CVE-2023-38831 , named ‘RARLAB WinRAR Code Execution Vulnerability is an arbitrary code execution vulnerability on WinRAR, with a CVSS score of 7.8

• CVE-2023-38831 vulnerability has been patched in the latest version of WinRAR and the vulnerability resides on versions prior to 6.23.

• Threat Actors have been targeting this vulnerability to deliver malware such as Agent Tesla, GuLoader , Remcos , and Darkme .

Curious to read more and understand how Logpoint’s platform can assists analysts in detecting and responding to security issues? Read the full article on Logpoint’s blog here: WinRAR – Decompression or Arbitrary Code Execution

What you get:

• Introduction to Akira ransomware via blog.
• Free download report from our Security Research team.
• Playbooks: Automate your way to protecting against Akira.
• How can you leverage your Converged SIEM against Akira? Download the report.

Here is why this is important. Some Akira background info:

Emerging Threat: Akira, Not a CyberPunk Movie – A Very Real Ransomware Threat

Fast Facts

• Emerging in March 2023, Akira ransomware has been grabbing daily headlines with its relentless and perilous assaults, leaving a trail of mounting victims.

• Akira is actively targeting Cisco ASA VPNs without multi-factor authentication to exploit CVE-2023-20269 as an entry point for their ransomware.

• Akira was among the Top 10 Ransomware groups in August 2023, with no indication of slowing down.

• Not only Windows, but the Akira variant can also infect Linux systems

• As of September 6, 2023, they have successfully struck 110 victims , including big-name organizations such as Quality Assistance Leader, Intertek.

Akira has emerged as a tenacious and devastating adversary in an ever-changing field of cyber threats that has grabbed widespread notice in a short period of time. Organizations must adapt and improve their security procedures in this situation. The growing number of people falling victim to this expanding menace emphasizes the importance of the situation.

Logpoint's security operations platform, Converged SIEM, contains a range of extensive tools and capabilities for identifying, evaluating, and mitigating the impact of Akira Ransomware. With features like native endpoint solution AgentX and SOAR with pre-configured playbooks, it enables security teams to automate essential incident response procedures, gather vital logs and data, and expedite malware detection and removal operations.

In an ever-changing threat landscape, Logpoint gives organizations the tools and capabilities they need to monitor risks, build defenses, and protect against Ransomware activities like Akira.

SOAR is always included in your Logpoint subscription. Not set up to use SOAR? Reach out to your local Logpoint representative or customersuccess@logpoint.com to hear how we can get you started.

Did you download the report? If so we would like to hear from you. Send us a message below and let us know your thoughts. What did you like? How can we improve it?

The 8Base ransomware group initially surfaced on the cyber threat landscape in March 2022, and their activities significantly increased in June 2023. They notably target small and medium-scale industries. While their actions began in March 2022, it wasn't until May 2023 that a substantial increase in their activities became apparent. This placed them among the top 5 most active ransomware groups in both June and July 2023.

In the realm of ransomware activities, our focus has unwaveringly remained on various groups and their activities. As the calendar rolled into July, the emergence of the 8Base group took a significant turn as it secured the 3rd position among the top 5 ransomware groups. As it continues to widen its range of victims and expand its operations, the group poses a growing threat solidifying its position as a potent adversary in the ever-changing cyber threat landscape.

In the report you can read more about the Logpoint Emerging Threats Protection as well as recommendations to keep your environment more secure against various threats.

Attackers are using OneNote files to infiltrate systems by embedding malicious payloads, with OneNote becoming a popular option after macros were disabled.

The attack is not new, with techniques ranging from phishing to sharing OneNote files, and payloads including RATs and information stealers.

To detect and respond to these attacks, it is recommended to check strings of .one files, monitor OneNote’s child process executions, and check for suspicious use of built-in Windows binaries. Windows and 7-Zip have fixed bugs that allowed malicious file formats to bypass security warnings.

The report explores how this attack works and its potential longevity.

https://www.logpoint.com/en/blog/onenote-malicious-attachment-as-initial-vector/

Hi All,

We are excited to share our latest blog on ESXiArgs Ransomware by Logpoint Security Researcher, Bibek Thapa Magar.

VMware ESXi hypervisor allows organizations to host multiple virtual systems on a single physical server. A global ransomware campaign named “ESXiArgs” is targeting VMware ESXi servers and exploiting a two-year-old vulnerability (CVE-2021-21974). The involvement of other CVEs has been speculated. In October 2022, a custom python backdoor was detected on a VMware ESXi server, which could run remote commands or launch a reverse shell. This backdoor may have a role in the infection routine.

Get research and analysis, insight, plus hints and tips, on how to mitigate ESXiArgs in the main blog below.

https://www.logpoint.com/en/blog/esxiargs-ransomware/

Hi All,

We are excited to share our latest blog by Logpoint Security Researcher, Nilaa Maharjan.

In this piece, you can read about the zero-day vulnerability Fortinet disclosed in its FortiOS SSL-VPN products in December 2022, which was discovered to have been exploited by ransomware gangs.

Get research and analysis, insight, plus hints and tips, on how to mitigate BOLDMOVE with Logpoint in the blog below.

Link: https://www.logpoint.com/en/blog/boldmove-exploiting-fortinet-systems/

We recently updated our Idea Portal to bring even more privacy and freedom of sharing ideas - for example, it’s no longer showing names of the users voted for the idea, even names of the users commenting it. That should help  to preserve anonymity even when ideas are created from the support ticket.

Our team plan to continue improving experience of all “ecosystem” resources like Idea Portal, Service Desk and so on - so we appreciate any feedback from the community about this change - or any other potential changes. Please feel free to comment there - or by any other channel.

NB: limited set of Logpoint employees, product managers with sufficient permissions, can still see names of the commentators in the back office of idea portal - to enable direct dialog on any specific feature scenario to be discussed outside idea portal.

is their a method or can their be method, where you can set your user accounts in log point as standard account, when someone need to complete any administrative task a ticket/token can be raised, with time frame limit.  where manager/third person can either approve or reject it request to escalate current of the user account from standard to admin. For account tracking and better account visibility.  Just as in Microsoft 365 security or MDE security portal.

Hi folks, just a quick one.

I noticed on the Layout Templates section of the Reports tab that you can import a template. However, it doesn’t look like you can actually export a template. So, my question is - what kind of template do you import?

Is there a specific file format or report schema that needs to be used, or does that option just not do anything at the moment?

I did look on this page but there didn’t seem to be an explanation there either.

Hello,

i have some minor questions regarding LP “policies” regarding security vulnerabilities:

Will LogPoint 6 still receive patches to fix security vulnerabilities ? E.g. LP 7.0.1 fixes the polkit vulnerability. As polkit was discovery AFTER the latest patch for LP 6 (6.12.02),  there is a good chance LP6 is affected by it too, but there is no patch available and i didn’t find any informationen that LP 6.12.02 is NOT affected by this vulnerability.

I am currently not keen to upgrade my LP installations from 6.12.2 to LP 7, but there have been some vulnerabilities for Linux recently (Log4Shell, polkit, dirty pipe, now zlib) with a good chance of LP being affected by them. If LP6 will not receive patches anymore, i would have to update (fast).

Generally speaking, is there any documentation how long the different LP versions are supported ?

Also, is there a webseite, newsletter etc to get get a quick overview or (even better) automatic notification when a new LP patches \ software updates are released ?

Right now i log into the service desk, browse to the product site and check manually, which is rather time consuming.

Andre

Dear All,

We would like to inform you that the old LogPoint Community on https://servicedesk.logpoint.com/hc/en-us/community/posts is closing down today / 25.03.2022 and all community activity will be directed to this community.

We still have a few spots available for our exclusive customer open hour sessions with LogPoint experts from our engineering, customer success, support, and global services teams.

You might have questions like:

• How do I activate SOAR on top of my SIEM V7.0?
• How do I create a Trigger?
• Do I need to pay to activate my SOAR?
• Or something completely different. We are here to help you.

The Open Hour sessions are:

• March 1st 11:00 CET
• March 3rd 14:00 CET

Upgrading to LogPoint 7 is free. Visit the LogPoint Help Center to download LogPoint 7.
We look forward to answering your questions and supporting your experiences with LogPoint SIEM+SOAR.

Are you using LogPoint 7 but have questions about SIEM or SOAR?

For a short period we are offering exclusive customer open hour sessions with LogPoint experts from our engineering, customer success, support, and global services teams.

You might have questions like:

• How do I activate SOAR on top of my SIEM V7.0?
• How do I create a Trigger?
• Do I need to pay to activate my SOAR?
• Or something completely different. We are here to help you.

The Open Hour sessions are:

• Feb. 22nd 15:00 CET
• Feb  24th 13:00 CET
• March 1st 11:00 CET
• March 3rd 14:00 CET

Upgrading to LogPoint 7 is free. Visit the LogPoint Help Center to download LogPoint 7.
We look forward to answering your questions and supporting your experiences with LogPoint SIEM+SOAR.

Dear All,

We have been informed that there’s a problem with the under-sea cables between India and Europe resulting in connectivity issues. While work is underway to fully restore internet services at the earliest we are asking for your patience while we are doing our utmost best to ensure that your tickets are all resolved as fast as possible.

In the meantime, we encourage you to use this community for instant help on non-critical issues.

Dear LogPoint Partner and Customer.

Recently, a critical remote code execution vulnerability in Apache log4j  ( CVE-2021-44228 ), was discovered, affecting versions 2.0-2.14.1.

Vulnerability status of LogPoint products

At this time, we have determined that no LogPoint products are affected by the vulnerability.

For detailed information about the vulnerability status of each LogPoint product, please consult the table below. If you have any questions about the vulnerability, please contact LogPoint Support or LogPoint Community.

Details of vulnerability by LogPoint product

* Note: log4j v1.2.x is vulnerable to another vulnerability, that is only exploitable when using the class JMSAppender. While LogPoint uses log4j in version 1.2, JMSAppender is not used in LogPoint and we have actively attempted to exploit the vulnerability, confirming that in these cases log4j v1.2 is not vulnerable in the current deployment configuration.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228

Regards,

Brian Hansen, LogPoint

VP, Customer Success

Hello LogPoint Support / LogPoint Community,

regarding the news about the log4j 2 CVE-2021-44228, I’ve been wondering whether log4j Version 2 is in use in the LogPoint Core SIEM or other parts of your product suite.

Could you please evaluate this and inform us partners and customers about the probable impact of this CVE?

Thanks so much in advance,

Tobias Weidemann

Join us on the next Customer Success Roundtable session on October 21 3PM-4PM  CET and share your ideas and feedback directly with the VP of Customer Success on how to improve LogPoint products and services.

To register, simply send an email to customersuccess@logpoint.com

We are now launching the LogPoint Ideas portal and would like you to join. Simply click the link below and log in with your existing support credentials, easy as that you are now ready to submit and upvote feature requests. Alternatively, you can always access the Idea Portal from the Community, just go to: homepage→ upper right corner→click Idea Portal

Join here: https://logpoint.ideas.aha.io/

Hello everyone,

I just wanted to direct your attention to a roundtable that we have coming up with Jon Eglisson, our Engineering Manager for UEBA in the CTO office.

So if there’s anything you always wanted to know about LogPoint’s UEBA solution this should be an interesting one to attend!

You can find the signup link here:

Cobalt Strike , first released in 2012, is a commercial adversary simulation tool and is popular among red teams, pen-testers, and threat actors alike. In essence, Cobalt Strike is a modularized post-exploitation framework that uses covert channels to simulate a threat actor in the organization’s network.

Cobalt Strike’s popularity is mainly due to its beacons being stealthy, stable, and highly customizable. The beacons are stealthy due to in-memory execution via reflection into the memory of a process without affecting the file system. Cobalt Strike’s post-exploitation suite includes support for keylogging, command execution, credential dumping, file transfer, port scanning, and more, making the adversary’s job easier. Malleable C2 is another beloved feature of Cobalt Strike that allows attackers to change how its beacons look and mimic other legitimate traffic to stay under the radar.

Though the vendor screens the distribution of licenses to security professionals, adversaries were able to crack and leak it frequently. In fact, two months before, Proofpoint had reported that adversarial use of Cobalt Strike increased 161 percent from 2019 to 2020 and still remains a high-volume threat in 2021. Proofpoint disclosed that they had attributed two-thirds of identified Cobalt Strike campaigns from 2016 through 2018 to well-resourced cybercrime organizations or APT groups. APT29 , APT32 , APT41 , Cobalt , FIN6 , T A505 , TIN WOODLAWN and Mustang Panda are just some of the threat actors who have used Cobalt Strike for their operations.

Cobalt Strike was repeatedly used in the high-profile SolarWinds supply chain incident where the Raindrop loader dropped the Cobalt Strike payload. Several ransomware strains like Ryuk, Conti, Egregor and DoppelPaymer have started to use Cobalt Strike to speed up their ransomware deployment. In September 2020, Cisco Talos reported that 66 percent of ransomware attacks involved Cobalt Strike and ransomware actors heavily rely on the tool as they abandon commodity trojans.

Cobalt Strike’s post-exploitation features are exposed via beacons that are executed in the memory of the infected system. Security analysts can create detections from the beacon’s leftover artifacts while performing post-exploitation. Similarly, analysts can use default settings like beacon names and default certificates to help aid detection.

LogPoint has now released UseCases v5.0.4 , which includes alerts and a dashboard for Cobalt Strike to help you identify threats within your environment, so you can take corrective actions against them.

Detecting Cobalt Strike activity in LogPoint

Named pipes are essential for the operation of Cobalt Strike beacons. Before version 4.2, Cobalt Strike did not allow the operators to change the default naming scheme of named pipes. If Sysmon is deployed in the environment and correctly configured, then it is an opportunity to detect Cobalt Strike’s default named pipes.

norm_id=WindowsSysmon label=Pipe

pipe IN ["\msagent_*", "\MSSE-*-server", "\postex_*", "\status_*", "\mypipe-f*", "\mypipe-h*",

"\ntsvcs_*", "\scerpc_*", "\mojo.5688.8052.183894939787088877*", "\mojo.5688.8052.35780273329370473*"]

Sysmon rules for Cobalt Strike Pipe Names

LogPoint customers can refer to our base sysmon configuration that covers various Cobalt Strike activities.

Adversaries commonly use Cobalt Strike’s named pipe impersonation feature to obtain SYSTEM privileges that can be detected via process creation events.

norm_id=WinServer label="Process" label=Create

parent_process="*\services.exe"

command IN ['*cmd* /c *echo *\pipe\*', '*%COMPSEC%* /c * echo *\pipe\*', '*rundll32*.dll,a*/p:*']

Search for Cobalt Strike Named Pipe Impersonation

You can also hunt for artifacts in services created by Cobalt Strike from the Service Control Manager (SCM) logs.

norm_id=WinServer event_id=7045 ((path="*ADMIN$*" service="*.exe") OR (path="%COMSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand*"))

The creation of the Sysmon remote thread logs aids in detecting Cobalt Strike’s process injection activity.

norm_id=WindowsSysmon event_id=8 start_address IN ["*0B80", "*0C7C", "*0C88"]

Cobalt Strike spawns rundll32 without any command-line and regularly injects the necessary payload code into rundll32’s memory. Therefore, you must check for the creation of rundll32 without any command-line arguments unaffected by the noise.

label="Process" label=Create

"process"="*\rundll32.exe" command="*\rundll32.exe"

Next, you can decode PowerShell sessions with the default command-line prefix and watch for snippets of commands commonly used by Cobalt Strike.

norm_id=WinServer event_source=PowerShell event_id=400

application="powershell -nop -exec bypass -EncodedCommand*"

| norm on application -<:'EncodedCommand\s'>

| process codec(decode, encoded_command) as decoded_command

| search decoded_command IN ["*IEX*DownloadString*127.0.0.1:*",

"Invoke-WMIMethod win32_process*-argumentlist*", "Invoke-Command -ComputerName*-ScriptBlock*", "*=New-Object IO.MemoryStream [Convert]::FromBase64String*"] | chart count() by host, device_ip, decoded_command, encoded_command

Cobalt Strike’s powerpick command enables the execution of unmanaged PowerShell. You can hunt for the activity via mismatch in the host version and engine version in PowerShell’s Engine Lifecycle events.

norm_id=WinServer event_source=PowerShell event_id=400

hostname=ConsoleHost application="*\rundll32.exe"

| process compare(host_version, engine_version) as match

| search match=False

Search for mismatch in host version and engine version in PowerShell’s Engine Lifecycle events

Proxy execution via RunDLL32 and Regsvr32 remains the most popular method for executing Cobalt Strike beacons. You can hunt for executions of the binaries from suspicious locations.

label="Process" label=Create "process" IN ["*\rundll32.exe", "*\regsvr32.exe"] command IN ["*C:\ProgramData\*", "*C:\Users\Public\*", "*C:\PerfLogs\*", "*\AppData\Local\Temp\*", "*\AppData\Roaming\Temp\*"]

Search for loading of DLLs from suspicious paths

You can hunt for default certificates that appear with Cobalt Strike when adversaries forget or ignore to change the default certificates.

(certificate_serial="8BB00EE" OR certificate_serial_number="8BB00EE")

Search for default Cobalt Strike certificate

Finally, watch for IDS/IPS alerts related to Cobalt Strike. Cisco Talos provided a list of snort rules that can help you detect the Cobalt Strike infection.

norm_id IN [Snort, SuricataIDS] (message IN ["*CobaltStrike*", "*Cobalt Strike*"] OR signature IN ["*CobaltStrike*", "*Cobalt Strike*"])

Expect the use of Cobalt Strike to rise

Many threat actors use default settings in Cobalt Strike, making detections easier for defenders. On the other hand, sophisticated threat actors who care about OPSEC, change the defaults to evade detection. Enterprises can purchase threat intel feeds, such as DFIR Reports , to obtain a list of IP addresses of Cobalt Strike servers used as IoCs to sweep their network.

In the coming years, you can expect threat actors to continue and even increase their use of Cobalt Strike to help target all industries due to the stability, versatility, and difficult attribution of Cobalt Strike.

Join us on the next Customer Success Roundtable session on August 24 3PM CET and share your ideas and feedback directly with the VP of Customer Success on how to improve LogPoint products and services.

To register, simply send an email to customersuccess@logpoint.com

We will soon be sending out our new Customer Success Newsletter, if you are not already receiving newsletters from LogPoint, sign up here: https://go.logpoint.com/customernewsletter-signup

This issue will contain information about our new Customer Success Roundtable sessions , LogPoint`s Cyber Professionals Panel as well as Fighting the Ransomware war , Machine Learning, UEBA, Sizing Calculator and new integrations.

Regards,

Brian Hansen

VP, Customer Success

Once again, a big thank you from all of us for joining LogPoint’s ThinkIn 2021!

We have collected all of the great keynotes, presentations, and breakout sessions for you to revisit: Thinkin 2021 recordings

If you haven’t already provided your feedback on Thinkin 2021, we would very much appreciate a few minutes of your time: Take the ThinkIn 2021 survey
​​​​​​
See you for ThinkIn 2022…

Hi,

i will need to open a support ticket with LP in the near future as the /opt folder does not have enough free space anymore which prevents the 6.11 updates from being applied.

According to the LP documentation following fw rules have to be configured to successfully create a support connection:

reverse.logpoint.dk - 1193/UDP

customer.logpoint.com - 443/TCP

My first question:

Are these rules still correct ? reverse.logpoint.dk does not seem to exist anymore. Adding these rules to our firewall would not allow our LogPoint to retrieve a support IP.

Second question:

I guess that 443/TCP is needed to send some HTTPS traffic back to Logpoint. However, all HTTPS traffic in our network is routed through a forward proxy, and i would like to prevent making an exception for our LPs if it is avoidable. But i can not find any setting in the web-gui allowing me to configure a http proxy on the LogPoint. Is it possible to configure a system wide http proxy via the web-gui or the command line  ? Please mind, we only have command line access for li-admin, not full root privileges.

Third question:

I found a CLI tool for establishing a remote connection in the LP docs somewhere, yet for another product (i think it is LP Director), called start-support .

Though undocumented, it seems to work in LP. Can i use it to establish a remote connection (if so, i think exporting the http_proxy variable for li-admin should be sufficient, as the start-support tool will run as user li-admin also), or does it something different ?

Regards

Andre

A big thank you from all of us for joining LogPoint’s ThinkIn 2021!

As we’re always striving to improve and make the next edition of ThinkIn even better, we would very much appreciate your feedback on ThinkIn 2021.

Please take a few minutes to share your impressions here in the comments section or Take the ThinkIn 2021 survey

If you want to revisit ThinkIn 2021, you can find live recordings of main tracks for the two days here:
ThinkIn 2021 – Day 1
ThinkIn 2021 – Day 2

Stay tuned for recordings of individual keynotes, presentations, and breakout sessions.

Wouldn’t it be more handy to get a list created automatically when a process toList command is used in LP Query just like the T-SQL query below which creates a DB table automatically, rather than manually creating a dynamic list every time?

SELECT column1 , column2 , column3 , ...
INTO newtable [IN externaldb ]
FROM oldtable
WHERE condition;