Daniel's thoughts on infosec

Real Time vs Scheduled Query Detections - A Guide For Detection Engineers

Many SIEM tools nowadays offer the opportunity for you to write rules on streaming data or run scheduled queries on a periodic basis. But when should you use which and why? This blog post is designed to serve as a guide to those designing their detection architecture.

Daniel Wyleczuk-Stern

9-Minute Read


Most modern SIEMs offer 2 primary methods for running their queries: real time rules and scheduled queries. Each option offers a variety of pros and cons that you should consider as you develop your detection. Before we dive into that, let’s clarify what we mean by each.

Azure Flow Log Analysis

Azure flow logs don't have the same instance ID that AWS flow logs do. So how do you figure out which VM the logs came from?

Daniel Wyleczuk-Stern

7-Minute Read


Disclaimer I currently work at Snowflake and use the product on a daily basis for log analysis and threat detection. At the time of this writing, that probably adds bias to my article.

Recent Posts



A random collection of thoughts on cybersecurity.