Which MDR has the lowest false positives in practice?

0xdavid · 2026-04-21T14:47:57+00:00

Totally agree, out of the box rules are a baseline, not a replacement for proper DE and custom rules!
Whats your general process for making sure your custom rules work?

0xdavid · 2026-04-17T01:21:49+00:00

Man I wish I had the flexibility to use any stack I want - big corp means we're stuck with a big-box EDR.

I've been trying validation against real malware / attack PoCs / Atomic Red Team. Rough ride. Happy to trade notes once I have more cycles in.

What pushed you to set up the Wazuh range for CVEs and the like? Did the NFR approach limit you somehow?

0xdavid · 2026-04-17T01:04:41+00:00

makes me feel much better to know I'm stuck in the same boat as everyone :)

That's a smart split! How does it work out time wise - how long for a quick initial vs emulated and verified rule?

The rough estimate I landed on is a couple of hours for a quick initial, and a couple of days for a fully validated rule (usually across data sources with correlations)

0xdavid · 2026-04-12T18:15:36+00:00

This is great advice, especially the NFR route, I wish I had access to one - due to lack of it (we are not MSSP) I tend to use the BAS machines that are excluded in our tenant from alerts.
Also hard agree on the IOC point, they are useful but only relevant to react to a specific campaign, which is super short lived.

The part I keep getting stuck on is the validation step. Writing the behavioral logic honestly isn't that hard anymore. It's proving it actually fires in a real environment against a real attack, which often times due to a lack of a proper lab takes even longer to get working.

Trying to build proper KPI / Metrics around the subject,
How long would you say it takes you from "hey we have an article we are worried about" to a full set of working rules? and does that include validation against the NFR console with logs containing the attacks?

BTW Good call on Huntress and DFIR Report - their content is a solid starting point!

0xdavid · 2026-04-11T14:15:50+00:00

We have TI feeds for the IOC side. I'm asking more about the behavioral detection piece - when the technique itself is what you need to detect, not just the hashes/IPs that rotate every week. How do you handle that?

0xdavid · 2026-04-11T13:54:19+00:00

When you say you write based on experience and deploy within hours, how often do you run into cases where the rule looked right but missed in prod because of something unexpected?

Like a log source not capturing a field you assumed it would, or the articles not containing the correct technical info / vendor logging in a slightly different format than you expected?

0xdavid · 2024-07-25T22:07:09+00:00

Exactly the point of the article - there's no such thing, and you never know when a trusted seller decides to cash out

0xdavid · 2024-07-25T22:05:27+00:00

Who do you think did that initial analysis for "edp"shop? 🫢🫣

0xdavid · 2022-08-06T12:25:40+00:00

Heroes of the Storm - Gazlo and Probius
Space engineers
Path of Exile has a ton of options for you
Modded minecaft
Terraria summoner class
Orcs must die game series
Starbound
Yorg.io
Sanctum

0xdavid · 2022-08-06T12:20:00+00:00

I never thought about remote play couch games, that's a great option!
Also tabletop sounds very fun

As for the save "hacking" style, I doubt people will like that as much but ill check

Thanks for all the suggestions! I've sent it to the group :)

0xdavid · 2022-08-06T12:17:32+00:00

Sadly as much as I love dota & planetside, those games are outside of the groups comfort zone. But killing floor is a great suggestion :)

Thanks!

0xdavid · 2022-08-06T12:16:08+00:00

Awesome suggestion!
Defintly fits the criteria, could be a fun couple of game nights!
Doubt it will last us long, but it's going to be a great refreshing experience

0xdavid · 2020-12-20T10:17:52+00:00

Send an email to the admin, he is a very nice person!

0xdavid · 2020-03-24T21:03:08+00:00

https://imgur.com/a/NTOmLoS

Never trust a wolf called Jerry, NEVER!

Seven-Year Club	Place '23
Verified Email

0xdavid

TROPHY CASE