CatsCrdl

CatsCrdl

Daniel's thoughts on infosec

Building Resilient Detection Suppressions

When a false positive occurs, how do you approach tuning your detector? Do you allowlist that one event? That can lead to another false positive tomorrow. This article will provide an example of how we build resilient suppressions.

Daniel Wyleczuk-Stern

4-Minute Read

A Cybersecurity Engineering Playing Whack-a-Mole

Raise your hand if you’ve worked on suppressing a false positive for a detector and then the very next day, it’s back in your “fix” queue with another false positive. I’d expect almost everyone who’s worked in detection engineering for any period of time has their hand raised or is nodding along. Why does this happen? Well, sometimes the detector itself isn’t very good and it’s alerting on a lot of benign behavior. But sometimes, the answer is that…

Real Time vs Scheduled Query Detections - A Guide For Detection Engineers

Many SIEM tools nowadays offer the opportunity for you to write rules on streaming data or run scheduled queries on a periodic basis. But when should you use which and why? This blog post is designed to serve as a guide to those designing their detection architecture.

Daniel Wyleczuk-Stern

9-Minute Read

Analysis

Most modern SIEMs offer 2 primary methods for running their queries: real time rules and scheduled queries. Each option offers a variety of pros and cons that you should consider as you develop your detection. Before we dive into that, let’s clarify what we mean by each.

Recent Posts

Categories

About

A random collection of thoughts on cybersecurity.