Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Jon Hencinski Profile picture
Jon Hencinski
@jhencinski
Head of SecOps @ProphetSec

Nov 6, 2021, 8 tweets

A good alert includes:
- Detection context
- Investigation/response context
- Orchestration actions
- Prevalence info
- Environmental context (e.g, src IP is scanner)
- Pivots/visual to understand what else happened
- Able to answer, "Is host already under investigation?"

Detection context. Tell me what the alert is meant to detect, when is was pushed to prod/last modified and by whom. Tell me about "gotchas" and point me to examples when this detection found evil. Also, where in the attack lifecycle did we alert? This informs the right pivots.

Investigation/response context. Given a type of activity detected, guide an analyst through response.

If #BEC, what questions do we need to answer, which data sources? If coinminer in AWS, guide analyst through CloudTrail, steps to remediate.

Orchestration makes this easier.

Orchestration actions reduce variance in response and pulls decision moment fwd. Given an alert for a weird login, make recent MFA activity available w/ alert. Or if we flagged a process event, show me recent process activity. If we flagged a file, what does VT say?

Prevalence of alert metadata and evidence fields.

How often do we see this alert fire? How often does this detection find evil?

Also, prevalence of evidence fields. If we flagged a process/service, is it common or only on this host? How many hosts are talking to that domain?

Environmental context is about not having to use sticky notes in your SOC. If PAN alerted on internal scanning, is the source a known scanner? If we're running attack_sim or testing what are the accounts we should expect to see? Do these accounts have 2FA? Context about the org.

Alert mgmt is a queuing system but you can't handle them as single items on a factory line. Given an alert I can quickly pivot and see what else is happening.Lists are OK, but graphs are how you win here. Good alert UI makes it easy to visualize what else happened.

Given an alert need to know if this host/source/account is already under investigation, marked for remediation, or recently investigated. Alerts help tell the story. If there are multiple tickets for the same incident it's hard to to tell the right story. Organization is key.

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling