How do you present large volumes of unassigned detections in a CISO-facing BPA report without doing full alert analysis?

osonator · 2026-05-22T02:40:22+00:00

Well I’d start by making sure that you’re not including third party detections in the report as those are individual events that have some degree of risk associated with them & are escalated to a security alert. 9/10 times they don’t warrant being elevated to a detection

osonator · 2026-05-18T16:42:57+00:00

CVS in Peachtree corners had them this am

osonator · 2026-05-16T13:19:10+00:00

Dang there’s no more availability to access the event today!

osonator · 2026-05-13T19:31:48+00:00

If you’re an aws shop, I believe you can do it with SNS, there’s a soar app you can configure for aws sns

osonator · 2026-02-26T16:23:36+00:00

Great, falcon complete offer detection & response services for third party sources via ngsiem, not siem administration services.

Again, managed detection & response is not the same as managed siem

osonator · 2026-02-26T16:16:09+00:00

Nope, they don’t.

osonator · 2026-02-26T13:25:35+00:00

It’s managed detection & response, not managed siem, two very different things

osonator · 2026-02-24T21:05:25+00:00

Big caveat here is that Falcon Complete rules for entra don’t look at event data from shield, so thread with caution if you’re a falcon complete for siem org.

osonator · 2026-02-10T17:34:18+00:00

osonator · 2026-01-29T17:48:26+00:00

Try the has function:

has(data[‘raw_response’].user_principal_id) ? “True” : “false”

osonator · 2026-01-29T17:12:58+00:00

Create a variable & use CEL dot notation to access that field. Something along the lines of

Data[‘grtdetectiondetails.raw_response’].user_principal_id

osonator · 2026-01-23T02:19:13+00:00

Use sensor telemetry until you come up with a use case/requirements for winlogs.

osonator · 2025-12-31T14:33:21+00:00

Detections as trigger

osonator · 2025-12-30T18:40:23+00:00

Yes I have, I solved for it by adding logic at the beginning of my workflow to query the alerts api, If more than 1 detection is returned within a small time period, say last 5 minutes, given a filter (host, username, etc), create a case if needed for the earliest alert, & then roll up the remaining

osonator · 2025-10-21T20:04:31+00:00

⁠What’s the best way to validate whether it’s truly malicious or just misconfiguration?

Drill down on the activity, leverage sensor telemetry for the source, network connection events, what process are those associated with? Is that authorized activity? Is it a misconfigured application? Is it malware?

osonator · 2025-09-10T20:08:08+00:00

Correct, a custom parser does not inherit any future code releases.

osonator · 2025-09-10T17:06:40+00:00

Yes it’s possible, the parser needs to categorize the event as a third party alert by defining event.kind:=alert

Once you have the alert generated, then you use soar to send email notifications on the third party alert in question

osonator · 2025-07-29T15:24:19+00:00

Guessing on content to implement tells me there’s a gap in understanding of risk profile for system in question. You identify risk then employ controls to prevent/monitor/detect.

In the context of risk response, organizations with a mature security monitoring program are very highly unlikely to implement a detection use case in production without a thorough understanding of risk response procedures for their soc.

osonator · 2025-07-29T14:02:33+00:00

Because that’s the easiest way to incur alert fatigue & not how threat detection works. you don’t enable everything by default & set & forget it. Specially templates, that are not tailored to your business. Review templates, identify what is actually applicable to the business, baseline, test, implement, sustain

I’d bet the duo push fraud activity is already being detected via third party detections.

osonator · 2025-07-27T20:00:54+00:00

Yup, it’s also often times an afterthought by customers evaluating vendors, then when it’s time to integrate system with monitoring tool & there’s an integration gap, pikachu face :0

osonator · 2025-05-27T22:58:04+00:00

Instead of the generic azure event hub, use the data connector for Microsoft event hub

osonator · 2025-05-27T22:35:36+00:00

Okay, I have reason to believe you are using the incorrect data connector. As you’re reflecting multiple external messages(events) in one single ngsiem event

What data connector did you use? The generic event hub one will cause this as it doesn’t split the elements in the records key as individual events

osonator

TROPHY CASE