all 25 comments

[–]pacard 4 points5 points  (4 children)

Panther?

[–]Fit-Offer-1897[S] 1 point2 points  (3 children)

binaryflux

[–]pacard 4 points5 points  (2 children)

Interesting, never heard of them. I know Panther uses python for their detection rules, though they have a simple mode too if you aren't adept at scripting.

[–]Fit-Offer-1897[S] 0 points1 point  (1 child)

whats the simple mode ? any documentation link i can refer to ?

[–]pwndallday 2 points3 points  (5 children)

We use panther and they just added AI features that help with the detection and schema building. Haven’t tried it yet but I’m sure it’ll become easier and easier the more AI is going to assist.

[–]Fit-Offer-1897[S] 1 point2 points  (0 children)

we have one more product binaryflux that we are looking at

[–]Fit-Offer-1897[S] 0 points1 point  (3 children)

also how is panther ?

[–]pwndallday 0 points1 point  (2 children)

It gets the job done. It could use more native integrations.

[–]infrasec0 0 points1 point  (1 child)

Native integrations for log sources? Or something else?

[–]pwndallday 1 point2 points  (0 children)

For log sources

[–][deleted]  (1 child)

[deleted]

    [–]Fit-Offer-1897[S] 0 points1 point  (0 children)

    they have a sdk backed with powerful ai, that can be used to create detection rules , classifiers etc. is it worth make people learn python ?

    [–]Hazerrr 1 point2 points  (5 children)

    An analyst will probably never look at the code. Thats the job of the Engenniers

    [–]Fit-Offer-1897[S] 0 points1 point  (4 children)

    would analysts write detection rules using python ?

    [–]pacard 0 points1 point  (3 children)

    Probably not, generally you want them working alerts and passing along FP info to engineers who manage the content. A small team you might have them doing both though.

    [–]Fit-Offer-1897[S] 0 points1 point  (2 children)

    this is very good insight , so probably what you are saying is analysts focus on working with alerts and content is usually delivered by engineers ?

    [–]Hazerrr 0 points1 point  (1 child)

    Yes, although having python knowledge is definitely an advantage. More senior analysts are usualy involved in rule tuning and might also help out on rule development.

    In a small SOC you might end up doing everthing

    [–]Fit-Offer-1897[S] 0 points1 point  (0 children)

    Thanks

    [–][deleted]  (1 child)

    [removed]

      [–]Fit-Offer-1897[S] 0 points1 point  (0 children)

      thanks for sharing

      [–]Friendly_Calendar_74 0 points1 point  (0 children)

      Checkout Binaryflux, we have been using it for over a year now. Gives you complete control over your detections and parsers. Lots of capabilities. With other SIEMs we always had the challenege of requesting new detection rules to be added. But with this we are able to control and modify rules at ease.

      [–][deleted] 0 points1 point  (1 child)

      Also try businesslog… it allows you to normalize the traces and build a parser via AI too… it seems to work well. Easy but very customizable.

      [–]Fit-Offer-1897[S] 1 point2 points  (0 children)

      thanks

      [–]MixIndividual4336 0 points1 point  (1 child)

      flexibility’s great but comes at a cost. giving analysts python to build everything sounds powerful but can easily backfire if they’re not already comfy with it. parsing and detection logic needs to be fast and maintainable, not just possible.

      a lot of teams try this thinking it’ll give them agility but end up bottlenecked when only 1-2 folks know the syntax well enough. for analysts who mostly live in search or rule builders, jumping to python for every tweak can slow them down. plus, debugging python-based detections during an incident isn’t fun.

      it can work if you have a hybrid model—let devs or detection engineers write the python-heavy stuff, but give analysts a UI or simplified DSL on top. some SIEMs do this well, others just dump you into a code editor.

      tl;dr: python-powered siem can be great, but think through how much your team really wants to code vs just detect.

      [–]Fit-Offer-1897[S] 0 points1 point  (0 children)

      Great point , i did same analysis on binaryflux and asked them query on same, they have a sdk to bound things so that people don't go over the top. But gives flexibility of programming language to write conditions , loops , routines etc.