← @kwm Twitter archive

Keith

@kwm

@pmelson @r0wdy_ @pmelson The "what do you do about?" using the above states means that, if we're getting too many

Not a Threat - Improve suppression criteria, or our suppression logic. Investigative action.

False Positive - Improve the analytic(s). Detection Engineering action.

12/3/2020, 7:20:28 AM

Favs: 6

Retweets: 0

Keith

@kwm

@pmelson @r0wdy_ Here's the complete set of event states that we use. Some notes:

- They're customer-facing, optimized for simplicity

- Some of them have more granular internal states associated with them

- Some of them have state reasons, assigned by the investigating Detection Engineer

12/3/2020, 7:33:15 AM

Favs: 6

Retweets: 0

Keith

@kwm

@pmelson @r0wdy_ Having layers of granularity is extremely helpful, and can lead to fun exercises like:

"48% of events for Analytic_X are FP, and another 48% are Not a Threat. WTF?"

There's no one way out of this type of boondoggle, but thoughtful states + metrics make it easy to spot.

12/3/2020, 7:39:09 AM

Favs: 3

Retweets: 0