infosec

Real Time vs Scheduled Query Detections - A Guide For Detection Engineers

Many SIEM tools nowadays offer the opportunity for you to write rules on streaming data or run scheduled queries on a periodic basis. But when should you use which and why? This blog post is designed to serve as a guide to those designing their detection architecture.

August 15, 2022

Daniel Wyleczuk-Stern

9-Minute Read

Most modern SIEMs offer 2 primary methods for running their queries: real time rules and scheduled queries. Each option offers a variety of pros and cons that you should consider as you develop your detection. Before we dive into that, let’s clarify what we mean by each.

Azure Flow Log Analysis

Azure flow logs don't have the same instance ID that AWS flow logs do. So how do you figure out which VM the logs came from?

July 16, 2021

Daniel Wyleczuk-Stern

7-Minute Read

Disclaimer I currently work at Snowflake and use the product on a daily basis for log analysis and threat detection. At the time of this writing, that probably adds bias to my article.

Regarding SMS 2FA

Responding to Tavis Ormandy's comments on SMS 2FA

July 29, 2020

Daniel Wyleczuk-Stern

4-Minute Read

I think an important question that Tavis either explicitly or accidentally omitted is “for whom”. I am not sure why he did not include this as it’s a critical component to his argument. If Tavis is stating that “SMS 2FA is ineffective for an enterprise”, then I would agree. The threat model that he is operating from is that an organization is being explicitly targeted by a motivated (though not necessarily extremely capable) attacker, who only needs minimal access…

CatsCrdl

Real Time vs Scheduled Query Detections - A Guide For Detection Engineers

Azure Flow Log Analysis

Regarding SMS 2FA

Recent Posts

There are Only Two Rules

Building Resilient Detection Suppressions

How to Write an Actionable Alert

Real Time vs Scheduled Query Detections - A Guide For Detection Engineers

A Shmoo's Guide to DC

Categories

About