So you want to be a SOC Analyst? Part 5
So now you can write detections, which means you will soon learn about false positives; let's practice tuning those.
If you just landed here, be sure to check out the Intro to this series.
Tuning False Positives
I found it much easier to capture this concept in a video rather than a full-text post, so check it out here
Resources
As I mention in the video, the main hurdle to mastering FP tuning is knowing what “normal” looks like. The primary way to get experience with this is spending more and more time looking at system telemetry. Here are a few resources I recommend studying:
SANS DFIR “Hunt Evil” poster
Ready for more? Check out Part 6 where we start playing with some more advanced detection capabilities such as YARA scanning.
Thanks for continuing the series Eric!
I'm getting an error when I try to test the rule against another event (following along with the "testing" portion of your video).
I get this error:
false => (is) {"op":"is","path":"detect/event/FILE_PATH","value":"C:\\Windows\\System32\\svchost.exe"}
In the detection I'm testing against, the command line is:
"COMMAND_LINE": "C:\\Windows\\system32\\svchost.exe -k wusvcs -p -s WaaSMedicSvc",
And of course, I've used your example detection statements:
- op: is
path: detect/event/FILE_PATH
value: C:\Windows\System32\svchost.exe
Can you see what I'm doing wrong based on what I've presented here?
Thanks!