A good alert includes:
- Detection context
- Investigation/response context
- Orchestration actions
- Prevalence info
- Environmental context (e.g, src IP is scanner)
- Pivots/visual to understand what else happened
- Able to answer, "Is host already under investigation?"
- Detection context
- Investigation/response context
- Orchestration actions
- Prevalence info
- Environmental context (e.g, src IP is scanner)
- Pivots/visual to understand what else happened
- Able to answer, "Is host already under investigation?"
Detection context. Tell me what the alert is meant to detect, when is was pushed to prod/last modified and by whom. Tell me about "gotchas" and point me to examples when this detection found evil. Also, where in the attack lifecycle did we alert? This informs the right pivots.
Investigation/response context. Given a type of activity detected, guide an analyst through response.
If #BEC, what questions do we need to answer, which data sources? If coinminer in AWS, guide analyst through CloudTrail, steps to remediate.
Orchestration makes this easier.
If #BEC, what questions do we need to answer, which data sources? If coinminer in AWS, guide analyst through CloudTrail, steps to remediate.
Orchestration makes this easier.
Orchestration actions reduce variance in response and pulls decision moment fwd. Given an alert for a weird login, make recent MFA activity available w/ alert. Or if we flagged a process event, show me recent process activity. If we flagged a file, what does VT say?
Prevalence of alert metadata and evidence fields.
How often do we see this alert fire? How often does this detection find evil?
Also, prevalence of evidence fields. If we flagged a process/service, is it common or only on this host? How many hosts are talking to that domain?
How often do we see this alert fire? How often does this detection find evil?
Also, prevalence of evidence fields. If we flagged a process/service, is it common or only on this host? How many hosts are talking to that domain?
Environmental context is about not having to use sticky notes in your SOC. If PAN alerted on internal scanning, is the source a known scanner? If we're running attack_sim or testing what are the accounts we should expect to see? Do these accounts have 2FA? Context about the org.
Alert mgmt is a queuing system but you can't handle them as single items on a factory line. Given an alert I can quickly pivot and see what else is happening.Lists are OK, but graphs are how you win here. Good alert UI makes it easy to visualize what else happened.
Given an alert need to know if this host/source/account is already under investigation, marked for remediation, or recently investigated. Alerts help tell the story. If there are multiple tickets for the same incident it's hard to to tell the right story. Organization is key.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
