@chrissanders88 We work endpoint-at-a-time, not based on control-derived alerts. We may have 20 events -> one confirmed threat. Thus, the event distinction.

← @kwm Twitter archive

Keith

@kwm

@chrissanders88 The primary measure we use is transaction time. It starts when events are claimed, and stops when all events are terminal (confirmed or FP).

10/30/2017, 2:10:16 PM

Favs: 0

Retweets: 0

link

Keith

@kwm

@chrissanders88 We work endpoint-at-a-time, not based on control-derived alerts. We may have 20 events -> one confirmed threat. Thus, the event distinction.

10/30/2017, 2:12:30 PM

Favs: 0

Retweets: 0

link