I published the following diary on isc.sans.org: “Are Your Hunting Rules Still Working?“:
You are working in an organization which implemented good security practices: log events are collected then indexed by a nice powerful tool. The next step is usually to enrich this (huge) amount of data with external sources. You collect IOC’s, you get feeds from OSINT. Good! You start to create many reports and rules to be notified when something weird is happening. Everybody agrees on the fact that receiving too many alerts is bad and people won’t get their attention to them if they are constantly flooded… [Read more]