Discover more from Eric’s Substack
So you want to be a SOC Analyst? Part 5
So now you can write detections, which means you will soon learn about false positives; let's practice tuning those.
If you just landed here, be sure to check out the Intro to this series.
Tuning False Positives
I found it much easier to capture this concept in a video rather than a full-text post, so check it out here
As I mention in the video, the main hurdle to mastering FP tuning is knowing what “normal” looks like. The primary way to get experience with this is spending more and more time looking at system telemetry. Here are a few resources I recommend studying:
Ready for more? Check out Part 6 where we start playing with some more advanced detection capabilities such as YARA scanning.
Eric’s Substack is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.