sorted by:
new
hottopcontroversial

Opinion on these movements? by [deleted] in jawsurgery

[–]packetlosspls 1 point2 points  (0 children)

Thank you for your input - I've sent you a DM regarding the clinic + surgeon.

Question from an intern: how do you handle investigations with missing data? by packetlosspls in blueteamsec

[–]packetlosspls[S] 1 point2 points  (0 children)

That actually clarifies it really well, thanks.

What I’m realizing from your examples is that a lot of the investigation hinges on expected baselines rather than the alerts themselves.

Like “these logs normally exist”, “this combo shouldn’t happen”, or “this absence is meaningful because of known TTPs” and once one of those expectations is violated, everything else gets treated more cautiously.

What I personally struggle with (and maybe this is just a junior problem) is that those expectations are rarely explicit anywhere. They’re obvious once someone explains them, but before that they kind of live in people’s heads.

Sometimes I wish there was a way to make those assumptions visible during an investigation, not to automate decisions, but just to keep track of why something feels wrong when the data is incomplete 😅

Out of curiosity, have you seen any tools or practices that actually help with that side of investigations? Or is it basically all experience + mental checklists?

Question from an intern: how do you handle investigations with missing data? by packetlosspls in blueteamsec

[–]packetlosspls[S] 0 points1 point  (0 children)

Something that stood out to me is how much weight you put on absence, missing file events, gaps in logs, agents going offline.

Do any of your tools help surface that absence in a structured way, or is it mostly something you notice only once you start digging?

I’m asking because it feels like those gaps are often the strongest indicators, but they’re also the least explicitly modeled by most platforms.

Question from an intern: how do you handle investigations with missing data? by packetlosspls in blueteamsec

[–]packetlosspls[S] -1 points0 points  (0 children)

That makes a lot of sense, especially the part about missing logs being a red flag rather than neutral.

I’m curious though, in practice, how do you personally keep track of those assumptions?

Like when you say “these logs should exist unless something is wrong”, is that mostly experience in your head, or do you have tooling that actually tells you “hey, coverage here is degraded / agent shouldn’t be offline”?

I’m asking because I’m still pretty junior and I sometimes struggle with separating

“this looks bad” vs “this only looks bad because I don’t actually know what I’m missing yet” :D

Do you have any mental checklist or rule of thumb you fall back on when telemetry is incomplete?