Could your choice of metrics be harming your SOC?
ATT&CK techniques detected
T1059.001PowerShell
88%
“techniques, and the alerts ( or hardening suggestions ) that the analyst proposes following the hunt. - 2 maximal true positives / minimal false positives every false positive harms your soc by both distracting an analyst, and by incentivising them to expect false positives. socs…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1654Log Enumeration
57%
“the more rules there are to ' detect bad things ' will result in more chances to ' detect bad things '. unfortunately this is rarely the case. such a metric almost always leads to the perverse outcome of ‘ alert inflation ’ ; analysts are incentivised to write as many rules as po…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Poor metrics can render a well-intentioned security operation centre entirely ineffective.